Be cautious when opening emails
Win32/Dorkbot is a malware that has infected more than one million PCs in over 190 countries. Dorkbot spreads through USB flash drives, instant messaging programs, and social networks. It steals user credentials and personal information, disabling security protection, and distributing several other prevalent malware families.
Dorkbot is an Internet Relay Chat (IRC) based botnet. It is commercialized by its creator as a “crime kit” called NgrBot, which hackers can buy though underground online forums. The kit includes the bot-builder kits as well as documentation on how to create a Dorkbot botnet.
Once connected to the C&C server, Dorkbot may be instructed to block certain security websites by blocking access to them. It does this through the hooked DnsQuery API in the IRC module. The main purpose is to prevent an infected machine from updating its antimalware definitions, thus preventing proper remediation of Dorkbot infections.
Distribution
Dorkbot malware has been distributed in various ways, including:
- Removable drives (USB “thumb-drives”)
- Instant messaging clients
- Social networks
- Drive-by downloads / Exploit kits
- Spam emails
Some of the malware families that we have seen downloaded by Dorkbot worms are listed in the below:
- Win32/Gingplog.A
- Win32/Fleercivet.D
- Win32/Tolouge
- Win32/Gamarue.A
- Win32/Lethic.I
- Win32/Kelihos
- Spammer:Win32/Emotet
- Win32/Mustrat.A
- Win32/Kasidet.A
- Win32/Neurevt.A
- Win32/Leenstic
- Win32/Crowti
- Win32/Necurs
- Win32/Waledac
Some of the websites that we have seen being targeted include:
- AOL
- eBay
- Gmail
- Godaddy
- OfficeBanking
- Mediafire
- Netflix
- PayPal
- Steam
- Yahoo
- YouTube
What now?
Always be careful when opening emails or downloading files from the internet. Make sure that you download files from trusted source and always keep your anti malware up to date.
