Wednesday, 23 December 2015

ESET helps to disrupt “Dorkbot” - major botnet malware

ESET took part in a global operation to uncover malware affecting more than a million computers.

The operation by law enforcement agencies around the globe led by the FBI, Interpol and Europol disrupted the Dorkbotinfrastructure, including Command and Control servers in Asia, Europe, and North America. What’s more, the operation has led to the seizure of domains, thus disrupting the botnet operators’ capacity to control their victims’ computers.

“To make the internet safer and protect our users, we have contributed to the disruption efforts. In the case of Dorkbot, ESET shared technical analyses and statistical information about the malware and provided the domains and internet addresses of the botnet’s command and control servers,” said Jean-Ian Boutin, Malware Researcher at ESET.

What is Dorkbot?

Dorkbot is a well-established botnet based on Win32/Dorkbot malware that is distributed via various channels, such as social networks, spam, removable media and exploit kits. Once installed on the machine, it will try to disrupt the normal operation of security software by blocking access to its update servers and will then connect to an IRC server to receive further commands.

What does Dorkbot do?

Besides being a password stealer targeting popular services such as Facebook and Twitter, Dorkbot typically installs code from one of several other malware families soon after it gains control of a given system. Notably, Win32/Kasidet, malware used to conduct DDoS attacks also known as Neutrino bot, and Win32/Lethic, a well-known spambot, are regularly dropped by Dorkbot onto compromised systems.

“As we’ve seen thousands of detections every week coming from almost all parts of the world and there are fresh samples arriving daily, Dorkbot seemed like a viable target for a disruption effort,” commented Jean-Ian Boutin.

Can computer users be safe from Dorkbot?

ESET products currently protect their users against thousands of variations of Dorkbot modules, along with many other forms of malware distributed by the Dorkbot botnets. Internet users who believe that their system might be infected by Dorkbot can make use of ESET’s free tool to run a thorough scan.

You can find more information about the Dorkbot and how it was neutralised in a dedicated article by Jean-Ian Boutin at ESET Ireland’s blog. For more updates follow hashtag #Dorkbot on social media