Dorkbot: hunting zombies in Latin America

Pablo Ramos ESET

Win32/Dorkbot appeared at the beginning of 2011, and in just a couple of months the volume of Dorkbot detections increased until it became the malware with the most impact in Latin America over the whole year. This threat uses removable media and social networks as its means of spreading and achieved the highest position in threat ranking statistics in only three months. Ngrbot (as its author prefers to call it, or Win32/Dorkbot as the AV industry prefers) stands out as the favourite crime pack for Latin America's cybercriminals and it is widely disseminated through a wide variety of media and vectors.

Lots of small botnets have been detected and are being used for information theft such as personal data and home banking credentials from compromised computers. Spreading through .LNK files via removable media, customized messages through social networks like Facebook, and using local news or compromised web pages, systems are being converted into bots controlled through the IRC protocol.

In this paper the main capabilities and features of Win32/Dorkbot are introduced, and we show its evolution into different versions, starting with AUTORUN spreading, and moving on to the use of LNK files and information-stealing techniques. Win32/Dorkbot.B is the most widely spread variant of this worm, its constructor having been leaked and made available on the web. We tracked down one of the active botnets in the region and reviewed the main activities performed by the cybercriminals.

The investigation came up with thousands of bot computers reporting to the bot master, who used several servers and vulnerable web pages for the implementation of phishing attacks and propagation of threats.

Social media messages have been used to spread copies of this malware through Facebook and Windows Live Messenger. Some of the topics used for spreading included presidents, celebrities and accidents all over the continent and the rest of the world. Also, email accounts are being stolen/hijacked by this malware.

We also comment on why and in what ways Win32/Dorkbot's activity in Latin America differs from the rest of the world, including trends that involve Internet usage, social media and user education. These combinations are a direct cause of the massive infection rates detected in the region. The main features, including botnet control, bot commands and protocols are described in this paper.  digg this! digg this

Quick Links

Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

SMI Oil and Gas Cyber Security 2014

Virus Bulletin
In this month's magazine:
  • VBSpam comparative review March 2014
  • VB100 comparative review on Ubuntu Server 12.04LTS
  • The shape of things to come
  • Threat intelligence sharing: tying one hand behind our backs
  • The curse of Necurs, part 1
  • More fast or more dirty?
  • Tofsee botnet
  • Back to VBA
  • Is the security industry up to the new challenges to come?
  • Greetz from academe: No place to Hyde
Virus Bulletin 04 2014
Subscribe now!

Virus Bulletin currently has 231,353 registered users.