In the half-decade that has lapsed since Dorkbot was first identified, millions of innocent victims, going about their everyday business, have been affected in over 190 countries. It has, quite literally, wormed its malicious way into computer systems throughout the world, showing absolute disregard for anyone caught in its way. The information security industry has been all too aware of this.
Which is why, behind the scenes, professionals have been busy figuring out how to effectively tackle the threat, detected as Win32/Dorkbot. All that hard work finally had a big pay-off and towards the end of 2015, a notable breakthrough was achieved. ESET, along with Microsoft, CERT.PL and numerous law enforcement bodies (FBI, Interpol and Europol) around the world, dealt a bloody blow to this global menace.
Collectively, this team of experts disrupted the Dorkbot infrastructure, “sinking” its command and control servers (C&C), as ESET’s Jean-Ian Boutin put it. In Asia, Europe and North America, cybercriminals were left reeling by this response. Moreover, the high-tech operation also resulted in the seizure of domains, meaning that a botnet operators’ ability to take control of their victim’s computer had been impacted.
All in all, it was, in the run-up to Christmas – news was made public at the start of December – a nice, early festive present … for all. And while the battle continues, this remains an important victory for internet users.
The beginnings of Dorkbot
It was in April 2011 that the first variant of Dorkbot appeared. This wasn’t that widely spread. However, a month later, another variant took things to another level. This was, as noted by ESET’s Pablo Ramos in a 2012 paper entitled Dorkbot: Hunting Zombies in Latin America, as “the most used malware variant”. Its main functionalities, he reported, included social network spreading. Out of all malware, that year it would have the biggest impact on users in Latin America. Its prevalence is extraordinary.
Mr. Ramos, who presented his findings in Dallas at Virus Bulletin Conference in 2012, explained why: “One of the main reasons for the concentration of infections in Latin America is the lack of education in security topics and the widespread lack of recognition that threats can use social networks for spreading. Dorkbot can be found on one out of every ten computers in Latin America.”
Gaining attention around the world
It was still regional that year, but, in 2012, Dorkbot finally gained international notoriety by successfully attacking millions of users of Skype. Victims this time were global in scope. A large reason for its success in propagating malware was down to the fact that users of this app-based video chat service were, at the time, less suspicious about cyber threats.
Users would receive what was ultimately a corrupted link that had appeared to come from someone on their contact list – someone they usually trusted. The message preceding the link went something like “is this your new profile pic?” It seemed innocent enough. However, on clicking the link, a trojan was inadvertently downloaded. In this case, the malicious software tended to be of the ransomware variety.
Some of the characteristics of Dorkbot
Encryption of files isn’t the only tool in its arsenal. Dorkbot also installs additional software onto computers and it steals personal information like passwords and usernames. It is highly effective and can be spread through various channels, including removable media like USB sticks, via social media, through spam and exploit kits.
The principal focus of the worm is to ultimately serve as a backdoor, allowing cybercriminals remote access to infected systems via C&C servers. The typical installation scenario runs something like this:
Once executed, the malware copies itself in %appdata%\%variable%.exe. Then, to ensure it is executed on every system start, it sets up a hidden registry entry. Instead of %variable%, a string with variable content is used. The worm then develops and runs a new thread with its own program code. None of this is visible to users.
An active threat to be wary of
Dorkbot has now been active for five, long years. You could describe it as old, but that isn’t technically correct as it continues to reinvent itself, as Mr. Boutin explained last year. It does use “old tricks” though - that’s the key takeaway.
Thousands of detections continue to be made on a weekly basis, the ESET malware researcher said last year, with incidents popping up around the world. Fresh samples “arrive daily” and it is this persistence that “made it a viable target for a disruption effort”.
Unfortunately, as with most threats of this kind, awareness of being compromised comes too late (as the millions of victims will testify). Users simply wake up one morning to find that their files are locked with a pop-up message on their screen demanding a fee within short period of time. Or that they go to check their bank account balance and find that they have been wiped clean.
In the absence of these unfortunate incidents, a thorough scan that detects and cleans up your system is perhaps the chief way that individuals are going to uncover and remediate the presence of the worm, as highlighted by Mr. Boutin. Prevention is always key, so users with an up-to-date security solution are already in a good place, as are those who abide by best practice security.
Beyond all this, knowing that their are individuals at organizations like ESET, Europol’s European Cybercrime Centre and Interpol working hard to eradicate the threat at its very core, is reassuring. There are, after all, much more technical and complicated barriers to overcome, which require a level of expertise that only seasoned professionals possess. It’s a collaborative effort, one that can be very effective.
“Botnets like Dorkbot have victimised users worldwide, which is why a global law enforcement team approach working with the private sector is so important,” said Wil van Gemert, deputy director of operations at Europol, in December.
“Europol is pleased to join forces with its law enforcement and private sector partners to defeat malicious botnets that have the potential to impact millions of victims.”
Dorkbot had better watch out.