Dorkbot: hunting zombies in Latin America
Pablo Ramos ESET
download slides (PDF)
Win32/Dorkbot appeared at the beginning of 2011, and in just a couple of months the volume of Dorkbot detections increased
until it became the malware with the most impact in Latin America over the whole year. This threat uses removable media
and social networks as its means of spreading and achieved the highest position in threat ranking statistics in only three
months. Ngrbot (as its author prefers to call it, or Win32/Dorkbot as the AV industry prefers) stands out as the favourite
crime pack for Latin America's cybercriminals and it is widely disseminated through a wide variety of media and vectors.
Lots of small botnets have been detected and are being used for information theft such as personal data and home banking
credentials from compromised computers. Spreading through .LNK files via removable media, customized messages through
social networks like Facebook, and using local news or compromised web pages, systems are being converted into bots
controlled through the IRC protocol.
In this paper the main capabilities and features of Win32/Dorkbot are introduced, and we show its evolution into different
versions, starting with AUTORUN spreading, and moving on to the use of LNK files and information-stealing techniques.
Win32/Dorkbot.B is the most widely spread variant of this worm, its constructor having been leaked and made available on
the web. We tracked down one of the active botnets in the region and reviewed the main activities performed by the
The investigation came up with thousands of bot computers reporting to the bot master, who used several servers and
vulnerable web pages for the implementation of phishing attacks and propagation of threats.
Social media messages have been used to spread copies of this malware through Facebook and Windows Live Messenger. Some of
the topics used for spreading included presidents, celebrities and accidents all over the continent and the rest of the
world. Also, email accounts are being stolen/hijacked by this malware.
We also comment on why and in what ways Win32/Dorkbot's activity in Latin America differs from the rest of the world,
including trends that involve Internet usage, social media and user education. These combinations are a direct cause of
the massive infection rates detected in the region. The main features, including botnet control, bot commands and
protocols are described in this paper.