DORKBOT, also known as NgrBot, is not a new threat. In fact, it was seen in the wild as early as 2011. Yet last week, DORKBOT made the news for spreading via Skype spammed messages, and has now reached than 17,500 reported infections globally. So what is DORKBOT, really?
A worm with multiple propagation routines
DORKBOT typically spreads in several ways: social media (such as Facebook and Twitter), instant messaging applications (Windows Live Messenger, mIRC, and now Skype), and via USB drives.
In propagating via social media and instant messaging applications, DORKBOT variants initially connect to the website http://api.wipmania.com/ in order to get the affected system’s IP address and location. This is done in order to pick the appropriate language to be used for propagation via instant messaging applications or social networks. However, in the Skype attack, the DORKBOT variants (WORM_DORKBOT.IF and WORM_DORKBOT.DN) checks the system locale in order to select the language.
Here are some of the messages used, based on our analysis:
- lol is this your new profile pic
- hej to jest twój nowy obraz profil?
- eínai aftí i néa fotografía profíl sas?
- это новый аватар вашего профиля?))
- سؤال هي صورتك ؟
- moin, kaum zu glauben was für schöne fotos von dir auf deinem profil
- hej er det din nye profil billede?
- hej je to vasa nova slika profila
- hey is dit je nieuwe profielfoto?
- hei zhè shì ni de gèrén ziliào zhàopiàn ma?
- tung, cka paske lyp ti nket fotografi?
- hey c’est votre nouvelle photo de profil?
- hey é essa sua foto de perfil? rsrsrsrsrsrsrs
- ¿hey esta es tu nueva foto de perfil?
- ni phaph porfil khxng khun?
- hej detta är din nya profilbild?
- hey è la tua immagine del profilo nuovo?
A DDoS launcher
DORKBOT also accepts commands from its controller by connecting to and joining IRC chatrooms. This routine is most commonly used in order to launch various DoS attacks. It can mount three different kinds of DoS attacks: SYN floods, UDP floods, or Slowloris attacks.
An information stealer
DORKBOT is not primarily meant to steal information, but still has the capability to steal login credentials. It does this by hooking several APIs in popular web browsers.
Among the sites monitored are Twitter, Facebook, Bebo, Friendster, Paypal, Netflix, and Sendspace. DORKBOT also check strings sent to monitored sites via HTTP POST, thus information in HTTP form files like passwords, usernames, and email addresses.
A malware downloader
DORKBOT can also execute commands like downloading an updated copy of itself and other malware (e.g. ransomware) onto already infected systems. This could explain why some reports have stated connections to other threats such as click fraud and ransomware.
What’s more, DORKBOT downloads an updated copy of itself per day, which are typically undetected because they arrive with different packers. This is probably done to remain undetected on the infected system.
With multiple dangerous routines and propagation methods well-fit into the common users’ typical online activities, DORKBOT is clearly a threat that users need to avoid and protect themselves from. Trend Micro users are protected from this via the Smart Protection Network. Other users may refer to our eguide “A Guide on Threats on Social Media” for tips to avoid infection, or our online scanner HouseCall to clean up existing infections.