Law enforcement authorities dismantled the Dorkbot botnet
ESET assisted Microsoft, the Polish CERT and law enforcement agencies around the world in eliminating the Dorkbot botnet using the sinkhole mechanism for the C & C servers of this botnet. We want to publish an overview technical analysis of this malware, some statistical information on infections and information about C & C servers.
To provide the necessary assistance in eliminating this botnet, we have used a lot of experience in tracking this threat and protecting users from it. Exhaustive information about this threat was presented in 2012 by ESET researcher Pablo Ramos at the Virus Bulletin conference.
')
The attackers managed to infect many users in more than 200 countries around the world using Dorkbot. The malware is detected by ESET antivirus products as Win32 / Dorkbot and has been distributed using social networks, spam emails, exploit kits, and spreading mechanisms via removable media. Being installed on a PC, Dorkbot disrupts the installed anti-virus products by blocking them from accessing updates. The bot uses the IRC protocol to get instructions from intruders.
In addition to performing functions familiar to Trojans, such as stealing passwords from popular Facebook and Twitter services, Dorkbot specializes in installing one or more other malicious programs into a compromised system. We have fixed the bot installation of such malicious programs as Win32 / Kasidet (Neutrino bot), as well as Win32 / Lethic . The first is used by attackers to conduct DDoS attacks, and the second is a spam bot.
Dorkbot is still very common in many countries around the world. Every week we observe thousands of infections by users of this malware, and fresh bot samples are delivered to our anti-virus lab every day. Not surprisingly, Dorkbot has become the target of law enforcement. To check your system for infection with Dorkbot and its subsequent removal, use our free tool Dorkbot Cleaner .
Fig. Geography of distribution of Dorkbot.
The diagram below shows the various components that are used in the latest versions of Dorkbot, we were able to analyze them.
Consider a typical malware infection process through a removable USB drive, which will help to better illustrate the role of each module. Since Dorkbot searches for removable media connected to an infected system for their subsequent compromise, many of our samples of this malware worked on removable media. In this case, two types of Dorkbot files were detected on them: the executable file of the dropper and the .LNK files with phishing names that indicate the file of the dropper.
When the user starts the Dorkbot from the USB media (detected by ESET AV products as Win32 / Dorkbot.I), it tries to download the main component of the malicious program from a remote server. The address of the server itself is hardwired in the executable file of the dropper. The downloaded file is heavily packed, and its code extracts from itself and executes the Win32 / Dorkbot.L executable file, which is a simple wrapper used to install the main component. This main component is detected by us as Win32 / Dorkbot.B and is responsible for working with a remote IRC server. The wrapper also specializes in intercepting the DnsQuery API function from the main component. This method is used by Dorkbot to complicate the detection of domains of real C & C servers by antivirus analysts, because in this case the component being launched lacks the addresses of the real C & C servers of the attackers. When he tries to translate domains through DnsQuery , the function call will be intercepted and as one of the arguments, the wrapper will transfer the API address to the address of the real C & C server.
After the installation of the malicious program is completed, the bot will try to connect to the IRC server and will expect certain commands to be received via a fixed channel from intruders. As a rule, a bot receives commands for downloading and executing new malicious programs in the system that were mentioned above.
The Dorkbot-based botnet has been active for a long time and attackers have successfully used it to this day. The management infrastructure of the C & C servers of this botnet is one of those that is monitored by ESET specialists. Such information is very important for tracking changes in the behavior of a malicious program, as well as for accumulating information about it, with a view to its use by law enforcement agencies.
The Dorkbot malware does not use any new methods to compromise new systems. Users should be careful when opening files on removable media, as well as files they receive via email and social networks. To check your system for infection with Dorkbot, you can use our free tool from here . To date, ESET antivirus products have thousands of different modifications of Dorkbot files, as well as malware files that are distributed by this botnet.
The following are examples of URLs or their components that are targeted by the Dorkbot password hijacker component.
* paypal. *
* google. *
* aol. *
* screenname.aol. *
* bigstring. *
* fastmail. *
* gmx. *
* login.live. *
* login.yahoo. *
* facebook. *
* hackforums. *
* steampowered *
* no-ip *
* dyndns *
* runescape *
* .moneybookers. *
* twitter.com / sessions *
* secure.logmein. *
* officebanking.cl / *
* signin.ebay *
* depositfiles. *
* megaupload. *
* sendspace.com / login *
* mediafire.com / *
* freakshare.com / login *
* netload.in / index *
* 4shared.com / login *
* hotfile.com / login *
* fileserv.com / login *
* uploading.com / *
* uploaded.to / *
* filesonic.com / *
* oron.com / login *
* what.cd / login *
* letitbit.net *
* sms4file.com / *
* vip-file.com / *
* torrentleech.org / *
* thepiratebay.org / login *
* netflix.com / *
* alertpay.com / login *
* godaddy.com / login *
* namecheap.com / *
* moniker.com / *
* 1and1.com / xml / config *
* enom.com / login *
* dotster.com / *
* webnames.ru / *
*: 2082 / login * (possibly targeting cpanel)
*: 2083 / login * (possibly targeting cpanel)
*: 2086 / login * (possibly targeting GNUnet)
* whcms *
*: 2222 / CMD_LOGIN * (possibly targeting DirectAdmin)
* bcointernacional *
* members.brazzers.com *
* youporn. *
* members *
To provide the necessary assistance in eliminating this botnet, we have used a lot of experience in tracking this threat and protecting users from it. Exhaustive information about this threat was presented in 2012 by ESET researcher Pablo Ramos at the Virus Bulletin conference.
')
The attackers managed to infect many users in more than 200 countries around the world using Dorkbot. The malware is detected by ESET antivirus products as Win32 / Dorkbot and has been distributed using social networks, spam emails, exploit kits, and spreading mechanisms via removable media. Being installed on a PC, Dorkbot disrupts the installed anti-virus products by blocking them from accessing updates. The bot uses the IRC protocol to get instructions from intruders.
In addition to performing functions familiar to Trojans, such as stealing passwords from popular Facebook and Twitter services, Dorkbot specializes in installing one or more other malicious programs into a compromised system. We have fixed the bot installation of such malicious programs as Win32 / Kasidet (Neutrino bot), as well as Win32 / Lethic . The first is used by attackers to conduct DDoS attacks, and the second is a spam bot.
Dorkbot is still very common in many countries around the world. Every week we observe thousands of infections by users of this malware, and fresh bot samples are delivered to our anti-virus lab every day. Not surprisingly, Dorkbot has become the target of law enforcement. To check your system for infection with Dorkbot and its subsequent removal, use our free tool Dorkbot Cleaner .
Fig. Geography of distribution of Dorkbot.
The diagram below shows the various components that are used in the latest versions of Dorkbot, we were able to analyze them.
Consider a typical malware infection process through a removable USB drive, which will help to better illustrate the role of each module. Since Dorkbot searches for removable media connected to an infected system for their subsequent compromise, many of our samples of this malware worked on removable media. In this case, two types of Dorkbot files were detected on them: the executable file of the dropper and the .LNK files with phishing names that indicate the file of the dropper.
When the user starts the Dorkbot from the USB media (detected by ESET AV products as Win32 / Dorkbot.I), it tries to download the main component of the malicious program from a remote server. The address of the server itself is hardwired in the executable file of the dropper. The downloaded file is heavily packed, and its code extracts from itself and executes the Win32 / Dorkbot.L executable file, which is a simple wrapper used to install the main component. This main component is detected by us as Win32 / Dorkbot.B and is responsible for working with a remote IRC server. The wrapper also specializes in intercepting the DnsQuery API function from the main component. This method is used by Dorkbot to complicate the detection of domains of real C & C servers by antivirus analysts, because in this case the component being launched lacks the addresses of the real C & C servers of the attackers. When he tries to translate domains through DnsQuery , the function call will be intercepted and as one of the arguments, the wrapper will transfer the API address to the address of the real C & C server.
After the installation of the malicious program is completed, the bot will try to connect to the IRC server and will expect certain commands to be received via a fixed channel from intruders. As a rule, a bot receives commands for downloading and executing new malicious programs in the system that were mentioned above.
The Dorkbot-based botnet has been active for a long time and attackers have successfully used it to this day. The management infrastructure of the C & C servers of this botnet is one of those that is monitored by ESET specialists. Such information is very important for tracking changes in the behavior of a malicious program, as well as for accumulating information about it, with a view to its use by law enforcement agencies.
The Dorkbot malware does not use any new methods to compromise new systems. Users should be careful when opening files on removable media, as well as files they receive via email and social networks. To check your system for infection with Dorkbot, you can use our free tool from here . To date, ESET antivirus products have thousands of different modifications of Dorkbot files, as well as malware files that are distributed by this botnet.
The following are examples of URLs or their components that are targeted by the Dorkbot password hijacker component.
* paypal. *
* google. *
* aol. *
* screenname.aol. *
* bigstring. *
* fastmail. *
* gmx. *
* login.live. *
* login.yahoo. *
* facebook. *
* hackforums. *
* steampowered *
* no-ip *
* dyndns *
* runescape *
* .moneybookers. *
* twitter.com / sessions *
* secure.logmein. *
* officebanking.cl / *
* signin.ebay *
* depositfiles. *
* megaupload. *
* sendspace.com / login *
* mediafire.com / *
* freakshare.com / login *
* netload.in / index *
* 4shared.com / login *
* hotfile.com / login *
* fileserv.com / login *
* uploading.com / *
* uploaded.to / *
* filesonic.com / *
* oron.com / login *
* what.cd / login *
* letitbit.net *
* sms4file.com / *
* vip-file.com / *
* torrentleech.org / *
* thepiratebay.org / login *
* netflix.com / *
* alertpay.com / login *
* godaddy.com / login *
* namecheap.com / *
* moniker.com / *
* 1and1.com / xml / config *
* enom.com / login *
* dotster.com / *
* webnames.ru / *
*: 2082 / login * (possibly targeting cpanel)
*: 2083 / login * (possibly targeting cpanel)
*: 2086 / login * (possibly targeting GNUnet)
* whcms *
*: 2222 / CMD_LOGIN * (possibly targeting DirectAdmin)
* bcointernacional *
* members.brazzers.com *
* youporn. *
* members *
Source: https://habr.com/ru/post/272259/
All Articles