• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   The DORKBOT Rises

The DORKBOT Rises

  • Posted on:October 16, 2012 at 9:44 am
  • Posted in:Bad Sites
  • Author:
    Bernadette Irinco (Technical Communications)
1

DORKBOT, also known as NgrBot, is not a new threat. In fact, it was seen in the wild as early as 2011. Yet last week, DORKBOT made the news for spreading via Skype spammed messages, and has now reached than 17,500 reported infections globally. So what is DORKBOT, really?

A worm with multiple propagation routines

DORKBOT typically spreads in several ways: social media (such as Facebook and Twitter), instant messaging applications (Windows Live Messenger, mIRC, and now Skype), and via USB drives.

In propagating via social media and instant messaging applications, DORKBOT variants initially connect to the website http://api.wipmania.com/ in order to get the affected system’s IP address and location. This is done in order to pick the appropriate language to be used for propagation via instant messaging applications or social networks. However, in the Skype attack, the DORKBOT variants (WORM_DORKBOT.IF and WORM_DORKBOT.DN) checks the system locale in order to select the language.

Here are some of the messages used, based on our analysis:

  • lol is this your new profile pic
  • hej to jest twój nowy obraz profil?
  • eínai aftí i néa fotografía profíl sas?
  • это новый аватар вашего профиля?))
  • سؤال هي صورتك ؟
  • moin, kaum zu glauben was für schöne fotos von dir auf deinem profil
  • hej er det din nye profil billede?
  • hej je to vasa nova slika profila
  • hey is dit je nieuwe profielfoto?
  • hei zhè shì ni de gèrén ziliào zhàopiàn ma?
  • tung, cka paske lyp ti nket fotografi?
  • hey c’est votre nouvelle photo de profil?
  • hey é essa sua foto de perfil? rsrsrsrsrsrsrs
  • ¿hey esta es tu nueva foto de perfil?
  • ni phaph porfil khxng khun?
  • hej detta är din nya profilbild?
  • hey è la tua immagine del profilo nuovo?

A DDoS launcher

DORKBOT also accepts commands from its controller by connecting to and joining IRC chatrooms. This routine is most commonly used in order to launch various DoS attacks. It can mount three different kinds of DoS attacks: SYN floods, UDP floods, or Slowloris attacks.

An information stealer

DORKBOT is not primarily meant to steal information, but still has the capability to steal login credentials. It does this by hooking several APIs in popular web browsers.

Among the sites monitored are Twitter, Facebook, Bebo, Friendster, Paypal, Netflix, and Sendspace. DORKBOT also check strings sent to monitored sites via HTTP POST, thus information in HTTP form files like passwords, usernames, and email addresses.

A malware downloader

DORKBOT can also execute commands like downloading an updated copy of itself and other malware (e.g. ransomware) onto already infected systems. This could explain why some reports have stated connections to other threats such as click fraud and ransomware.

What’s more, DORKBOT downloads an updated copy of itself per day, which are typically undetected because they arrive with different packers. This is probably done to remain undetected on the infected system.

With multiple dangerous routines and propagation methods well-fit into the common users’ typical online activities, DORKBOT is clearly a threat that users need to avoid and protect themselves from. Trend Micro users are protected from this via the Smart Protection Network. Other users may refer to our eguide “A Guide on Threats on Social Media” for tips to avoid infection, or our online scanner HouseCall to clean up existing infections.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Windows App Runs on Mac, Downloads Info Stealer and Adware
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures

Popular Posts

  • Going In-depth with Emotet: Multilayer Operating Mechanisms
  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.