The information-stealing, botnet-building worm known as Dorkbot (Win32/Dorkbot) is one of the most active threats in Latin America. Ever since we started to investigate this worm, we have been able to identify different dissemination campaigns, the ultimate aim of which is stealing sensitive information such as login names and passwords from its victims. Most of these campaigns have the same structure but target different countries, and use different techniques.
In recent weeks we have seen new Dorkbot outbreaks in Mexico, Chile and Peru, so we decided to give a little attention to detection statistics, especially in Latin America. ESET Virus Radar statistics show that even in the last month, there hasn’t been much change in detection rates as broken down by region: Dorkbot infection rates seem to remain stable, and Latin America is the most affected region.
This pattern has been fairly consistent since the end of 2011, when this worm reached its highest peak. If we try to review Dorkbot's Timeline it is quite clear that it still maintains the same levels of detections that it showed almost a year ago. Dorkbot has been in the Top Ten Threats for more than a year, and it is still there. For more than a few reasons this worm is able to infect user’s computers and intrude into their activities in order to steal private information, including their credentials for accessing social networks home banking data.
During 2012, statistics show that 54% of Dorkbot detections have been in Latin America, 25% in Asia while the third place is held by Europe with 18%. For Oceania, Africa and North America reports have been less than 2%. The techniques used by Dorkbot in order to spread differ according to region; however, it is commonly being spread through infected web pages, removable media, or social engineering.
One of the most recent variants included a module designed to use Skype as a vector for spreading in the same way Dorkbot was already doing with Windows Live Messenger, Twitter private messages, and Facebook chat. When the news came out at the beginning of October, detection rates did not change so much, at least not as dramatically as they did in a year ago.
As we’ve explained before, Dorkbot is widely distributed through all the countries in Latin America, with Mexico, Peru and Colombia as the most affected countries in terms of detection levels. Most of the distribution campaigns are based on fake emails offering brand new phones or discounts for flight tickets.
For these kinds of attack, cybercriminals prefer to set up a fake server for C&C (Command and Control) or for phishing pages. Dorkbot communicates with the control server using the IRC protocol, and supports SSL, but in certain cases attackers do not use any kind of encryption and all the network traffic can be captured using a sniffer.
Distribution campaigns are generally short, and they switch from one server to another at very short intervals. In one of the campaigns that were spreading in Mexico a few weeks ago, the attacker logged all malware downloads, so it was possible to quantify exactly how often it was downloaded and the number of possible infections:
This campaign was detected during the last week of October, and according to the data stored in the server there are around 800 downloads from Mexican IP addresses out of a total of more than 1200 downloads. (MD5: ece6f118468dfa974eefcfb816390567)
Once an infected computer connected to the server no further commands were received and no subsequent malware updates were sent. All infected computers forward the information they capture to the IRC server from which the attacker can retrieve it. Dorkbot is designed to steal login credentials for more than 40 different websites, also capturing POP3 (email) and FTP (file transfer) information from the infected computers.
Most of the active campaigns detected in Latin America are being used by cybercriminals to steal home banking credentials from their victims. to this end, a list of the targeted URLs and phishing server is sent to the bot every time it connects to the C&C:
The list contains six different URLs from Chilean banks, to which users will be redirected when they try to access to their accounts. (MD5: f63615c2f8c4b4ed6f8a5ca4cd9b5394 8c0b4b9f80a3c716394371cdf91603ca)
Dorkbot activity is still high in Latin America and in countries such as Mexico, Peru, Chile, Guatemala and Ecuador, Dorkbot is the threat most detected. This worm spreads through removable devices, social networks and infected web pages using social engineering in order to deceive users and compromise their systems.
For those users that have been a victim of this worm we have made available a Win32/Dorkbot.B cleaner to remove this threat from your computer. If your computer has been infected by this worm, please remember to change all your passwords.
Pablo Ramos
Security Researcher