Dorkbot is finally gone! So what? There's always another botnet around the corner, twice as dangerous

Dec 4, 2015 03:33 GMT  ·  By

Dorkbot, a malware family that operates on a botnet structure, has been sinkholed by Polish law enforcement officials working together with Microsoft and ESET.

For non-technical users, sinkholing is the process where webmasters set up a DNS server that sends out false information about domain names.

The process of sinkholing botnets is when security firms install sinkhole DNS servers that tell infected machines that the domain name or the IP of their C&C server is located in the wrong place, effectively shutting down the entire botnet.

This is what happened to Dorkbot, a malware family that was first seen in 2011, being mainly used as an information stealer, allowing attackers to get their hands on credentials from Twitter, Facebook, PayPal, Gmail, Netflix, eBay, Steam, and others.

Dorkbot infected users in over 190 countries over a 4-year span

The malware was active in over 190 countries and was spread mainly via removable media, email spam, exploit kits, but most of the times, via social media profiles and spam.

While in the beginning Dorkbot was only interested in stealing account credentials, the malware evolved, and it also added functionality to download and install other threats on infected systems. This included the Kasidet malware for carrying out DDoS attacks and the Lethic spambot.

Besides ESET, Microsoft, and Computer Emergency Response Team Poland (CERT/PL), other agencies that helped bring down Dorkbot include Interpol, the Royal Canadian Mounted Police (RCMP), the FBI, the Department of Homeland Security’s United States Computer Emergency Readiness Team (DHS/USCERT), and the Canadian Radio-Television and Telecommunications Commission (CRTC).

Dorkbot currently had over 120,000 active bots

"Dorkbot is an old botnet that has been reinventing itself through the years," noted ESET's Jean-Ian Boutin. "ESET products currently detect thousands of variations of Dorkbot modules along with the different malware distributed by the Dorkbot botnets."

According to data provided by Microsoft, at the time it was sinkholed, Dorkbot was running on a network that counted around 120,000 infected machines.

To help infected victims, ESET has provided a free tool to allow users to scan and remove Dorkbot from their systems. Additionally, tools like the Microsoft Safety Scanner, and the Malicious Software Removal Tool, can also detect and remove Dorkbot.

Dorkbot geographical spread
Dorkbot geographical spread

Dorkbot Botnet (5 Images)

Dorkbot botnet sinkholed by international effort
Dorkbot geographical spreadDorkbot geographical spread
+2more