Law enforcement agencies from around the globe, aided by Microsoft security researchers, have today announced the disruption of one of the most widely distributed malware families – Win32/Dorkbot. This malware family has infected more than one million PCs in over 190 countries.
Dorkbot spreads through USB flash drives, instant messaging programs, and social networks. It steals user credentials and personal information, disabling security protection, and distributing several other prevalent malware families.
The Microsoft Malware Protection Center (MMPC) and the Microsoft Digital Crimes Unit (DCU) led the analysis of the Dorkbot malware in partnership with ESET and Computer Emergency Response Team Polska (CERT Polska, NASK).
We activated a Coordinated Malware Eradication (CME) campaign, performed deep research, and provided telemetry to partners and law enforcement such as CERT Polska, ESET, the Canadian Radio-television and Telecommunications Commission (CRTC), the Department of Homeland Security’s United States Computer Emergency Readiness Team (DHS/USCERT), Europol, the Federal Bureau of Investigation (FBI), Interpol, and the Royal Canadian Mounted Police (RCMP), to help take action against Dorkbot infrastructure.
The MMPC has closely monitored Dorkbot since its discovery in April 2011 and released our research in the following blogs:
Our real-time security software, such as Windows Defender for Windows 10, and standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can detect and remove Dorkbot. It’s important to keep your security software up-to-date to ensure you have the latest protection.
Dorkbot telemetry
During the past six months, Microsoft detected Dorkbot on an average of 100,000 infected machines each month. The top 10 countries shown in Figure 2 represent 61 percent of the total infections.
Figure 2: Dorkbot detections by country for the past six months
Figure 3: Dorkbot machine detections heat map for past three months
Dorkbot is an Internet Relay Chat (IRC) based botnet. It is commercialized by its creator as a “crime kit” called NgrBot, which hackers can buy though underground online forums. The kit includes the bot-builder kits as well as documentation on how to create a Dorkbot botnet. Figure 4 and 5 show one of the builder interfaces for Dorkbot – illustrating all available functionalities that the operator can set through the kit, including the IRC server settings and the command settings.
Figure 4: Dorkbot builder IRC server settings
Figure 5: Dorkbot builder command settings
Distribution
Dorkbot malware has been distributed in various ways, including:
- Removable drives (USB “thumb-drives”)
- Instant messaging clients
- Social networks
- Drive-by downloads / Exploit kits
- Spam emails
Figure 6: Dorkbot distribution methods
During a drive-by-download infection, a cybercriminal places specialized software known as an exploit kit on a website. An exploit kit is software that is designed to infect user computers that connect to the website using software vulnerabilities. These websites are known as exploit websites. Sometimes exploit websites are created by the botnet operator specifically for the purpose of spreading the infection, but in other cases they may be legitimate websites that have been hacked by the botnet operator.
When a computer connects to an exploit website, the exploit kit tries to exploit unpatched software to install the Dorkbot worm.
Once a machine is infected with the bot, Dorkbot will distribute itself through removable drives, instant messaging clients and social networks.
Behaviors
Dorkbot’s primary goal is to steal online account user names and passwords, as well as other personally identifying information.
Dorkbot loader
Being sold online, there are several operators utilizing Dorkbot. In the most active campaign, Dorkbot was distributed within a loader module. This loader has its own code for updating itself and distributing other malware. It is also responsible for guiding Dorkbot’s connection to another command-and-control (C&C) server. The operator appears to be abusing the older IRC-based Dorkbot variant by disabling the self-check routine, changing IRC commands, and using the loader to force it to connect to the operator’s own C&C server.
Figure 7: Original Dorkbot has self-check routine that was cracked by a recent operator
Dorkbot loader – update and download other malware
The loader module contains an encoded download URL in its binary. Currently the binaries hosted in these URLs are Dorkbot’s downloader component, self-update, and other malware families.
Figure 8: Decoded download URLs in the loader module
The Dorkbot worm can receive commands to download and install additional malware on the infected computer, causing users whose computers are infected with Dorkbot to be infected with other types of malware as well. Some of the malware families that we have seen downloaded by Dorkbot worms are listed in the below:
- Win32/Gingplog.A
- Win32/Fleercivet.D
- Win32/Tolouge
- Win32/Gamarue.A
- Win32/Lethic.I
- Win32/Kelihos
- Spammer:Win32/Emotet
- Win32/Mustrat.A
- Win32/Kasidet.A
- Win32/Neurevt.A
- Win32/Leenstic
- Win32/Crowti
- Win32/Necurs
- Win32/Waledac
The Microsoft Malicious Software Removal Tool (MSRT) has detection for Dorkbot and most of these malware families.
Dorkbot loader – guide IRC module to real C&C
Since mid-2011, the IRC module version has remained the same and only had some byte patches performed by its operators. Patching the original C&C domain inside the IRC module has length limitations, so the operators put code inside the loader module to redirect the IRC module’s connection to a preferred C&C domain.
The loader creates a trap process (for example, mspaint.exe) and installs a code hook on a DNS-related API (DnsQuery_A, DnsFree). The hook code will compare if the query was on the old C&C server domain, and return the DNS query value of the preferred domain.
Figure 9: Overview of trap process guiding to real C&C
Figure 10: C&C server overriding
Figure 11: List of C&C domains
After connecting to C&C server, the IRC module will start receiving commands.
Dorkbot – IRC module (aka NgrBot)
After a Dorkbot worm infects a computer, it connects to one of its pre-programmed C&C servers. Some variants communicate over IRC using encryption technology such as Secure Sockets Layer (SSL). In its first communication, the worm sends the C&C server its geolocation, the version of Windows running on the computer, and a unique computer identifier. At this point, it is ready to begin executing commands sent to it by the botnet operator. The commands available are shown in Figure 5.
Typically, after connecting to the C&C server, the infected computer will be instructed to download other malware or spread to other computers.
Figure 12: Dorkbot C&C communication via IRC
Operators keep patching string fragments such as IRC related commands (USER, PASS, NICK, PRIVMSG etc) or machine’s unique nickname format.
Figure 13: Comparison with the old (top) and new (bottom) version of Dorkbot
Stealing online user credentials
Dorkbot monitors Internet browser communications and intercepts communications with various websites. It does this by hooking network-related APIs such as the following:
- HttpSendRequestA/W
- InternetWriteFile
- PR_Write
It then steals the user name and password used to log onto the website. Some of the websites that we have seen being targeted include:
- AOL
- eBay
- Gmail
- Godaddy
- OfficeBanking
- Mediafire
- Netflix
- PayPal
- Steam
- Yahoo
- YouTube
Anti-security techniques
Blocking websites
Once connected to the C&C server, Dorkbot may be instructed to block certain security websites by blocking access to them. It does this through the hooked DnsQuery API in the IRC module. The main purpose is to prevent an infected machine from updating its antimalware definitions, thus preventing proper remediation of Dorkbot infections. The antimalware and security companies targeted by Dorkbot are listed in our Win32/Dorkbot description.
Anti-sandbox techniques
Whenever the loader runs on a system, it will record the time of its first execution in %TEMP%c731200 as UTC converted to seconds. Before downloading the newest Dorkbot variant and other malware, the loader will check if current time is at least 48 hours past the time recorded on installation. This way the loader can hide the download URLs from antimalware backend analysis system.
Remediation
To help prevent a Dorkbot infection, as well as other malware and unwanted software:
- Be cautious when opening emails or social media messages from unknown users.
- Be wary about downloading software from websites other than the program developers.
- Run antimalware software regularly.
Our real-time security software, such as Windows Defender for Windows 10 for Windows 10 with up-to-date AV definitions will to ensure you have the latest protection against Dorkbot threats.
Alternatively, standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can also detect and remove Dorkbot.
Microsoft is also continuing the collaborative effort to help clean Dorkbot-infected computers by providing a one-time package with samples (through the Microsoft Virus Initiative) to help organizations in protecting their customers.
If your security organization is interested in joining or initiating a malware eradication campaign, or you are just interested in participating in the CME program, see the CME program page. You can also reach out to us directly through our contact page for more information.
Katrin Totcheva, Rodel Finones, HeungSoo Kang and Tanmay Ganacharya
MMPC