CERT mailing list archives

Previous By Date Next
Previous By Thread Next

TA15-337A: Dorkbot

From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Thu, 03 Dec 2015 18:15:58 -0600
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

TA15-337A: Dorkbot [ https://www.us-cert.gov/ncas/alerts/TA15-337A ] 12/03/2015 06:40 PM EST 
Original release date: December 03, 2015

Systems Affected

Microsoft Windows

Overview

Dorkbot is a botnet used to steal online payment, participate in distributed denial-of-service (DDoS) attacks, and 
deliver other types of malware to victims’ computers. According to Microsoft, the family of malware used in this botnet 
“has infected more than one million personal computers in over 190 countries over the course of the past year.” The 
United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) 
and Microsoft, is releasing this Technical Alert to provide further information about Dorkbot.

Description

Dorkbot-infected systems are used by cyber criminals to steal sensitive information (such as user account credentials), 
launch denial-of-service (DoS) attacks, disable security protection, and distribute several malware variants to 
victims’ computers. Dorkbot is commonly spread via malicious links sent through social networks instant message 
programs or through infected USB devices.

In addition, Dorkbot’s backdoor functionality allows a remote attacker to exploit infected system. According to 
Microsoft’s analysis, a remote attacker may be able to:


  * Download and run a file from a specified URL; 
  * Collect logon information and passwords through form grabbing, FTP, POP3, or Internet Explorer and Firefox cached 
login details; or 
  * Block or redirect certain domains and websites (e.g., security sites). 

Impact

A system infected with Dorkbot may be used to send spam, participate in DDoS attacks, or harvest users' credentials for 
online services, including banking services.

Solution

Users are advised to take the following actions to remediate Dorkbot infections:


  * "Use and maintain anti-virus software" – Anti-virus software recognizes and protects your computer against most 
known viruses. Even though Dorkbot is designed to evade detection, security companies are continuously updating their 
software to counter these advanced threats. Therefore, it is important to keep your anti-virus software up-to-date. If 
you suspect you may be a victim of Dorkbot, update your anti-virus software definitions and run a full-system scan. 
(See Understanding Anti-Virus Software [ http://www.us-cert.gov/ncas/tips/ST04-005 ] for more information.) 
  * "Change your passwords" – Your original passwords may have been compromised during the infection, so you should 
change them. (See Choosing and Protecting Passwords [ http://www.us-cert.gov/ncas/tips/ST04-002 ] for more 
information.) 
  * "Keep your operating system and application software up-to-date" – Install software patches so that attackers 
cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system 
if this option is available. (See Understanding Patches [ http://www.us-cert.gov/ncas/tips/ST04-006 ] for more 
information.) 
  * "Use anti-malware tools" – Using a legitimate program that identifies and removes malware can help eliminate an 
infection. Users can consider employing a remediation tool (see example below) to help remove Dorkbot from their 
systems. 
  * "Disable Autorun­ – "Dorkbot tries to use the Windows Autorun function to propagate via removable drives (e.g., USB 
flash drive). You can disable Autorun to stop the threat from spreading. 

*Microsoft*

http://www.microsoft.com/security/scanner/en-us/default.aspx

The above example does not constitute an exhaustive list. The U.S. Government does not endorse or support any 
particular product or vendor.

References

  * Microsoft Malware Protection Center – Worm: Win32/Dorkbot [ 
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx ] 
  * Microsoft Malware Protection Center – Microsoft assists law enforcement to help disrupt Dorkbot botnets [ 
http://blogs.technet.com/b/mmpc/archive/2015/12/03/microsoft-assists-law-enforcement-to-help-disrupt-dorkbot-botnets.aspx
 ] 

Revision History

  * December 3, 2015: Initial Publication 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Previous By Date Next
Previous By Thread Next

Current thread: