Dorkbot
Original Issue Date:- January 22, 2016
Virus Type:- Worm
Severity:- High
It has been observed that the variants of malware named as,
The malware is capable of performing the following functions:
- Steals sensitive information from infected machine including stored passwords, browser data, cookies etc.
- Capable of installing other malicious binaries to take complete control of the affected system
- Make use of process injection or overwrite genuine windows files to hide itself.
- Intercept browsers and launch man-in-the-middle attacks by hooking various APIs within Firefox and IE.
- Collects system information such as OS information, User privileges, apps installed on system.
- Make network connections or join IRC chats to execute commands issued by the attacker.
- Gives remote access of the infected machine to attacker.
- Block access to some websites based on the strings in their domain names especially antivirus vendor’s websites.
- Capable of injecting iframes in the html file found on the victim’s machine.
- Launch DDOS attacks (SYN, UDP, SlowLoris flood)
- Capable of updating or uninstalling itself.
Aliases: BDS/Backdoor.Gen[AntiVir], Win32:Ruskill-EG[Avast], Worm/Generic2.ASJP[AVG], Worm.Dorkbot.A [BitDefender], Worm.Dorkbot.A [Emsisoft ], Win32/Dorkbot.B [ESET], worm.Win32.Ngrbot.byu [Kaspersky], W32/IRCbot.gen.ax [McAfee] , Worm:Win32/Dorkbot.A [Microsoft] , Dorkbot.U [Norman], W32/Lolbot.R.worm [Panda] , W32.IRCBot.NG [Symantec], worm_DORKBOT [TrendMicro].
Indicators of Infection
File system Changes:
Malware may arrive on the victim’s machine with the following names:
- facebook-profile-pic-
-JPEG.exe - facebook-pic00
.exe - skype_
_foto.exe , where is the day, ,month, and year, for example, "skype_06102012_foto.exe" - skype_
_foto.exe , where is the day, ,month, and year, for example, "skype_09-10-2012_image.exe"
During installations, malware makes a copy of itself in following locations:
Location: %Appdata%
Filename:
Registry changes:
Malware make registry entry for itself to execute itself at every system reboot. The Registry entry make by the malware is as follows:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ozkqke"
With data: "%appdata%\ozkqke.exe"
Code injection:
To hide itself from detecting by antivirus solutions, malware injects its code in the following files:
- cmd.exe
- ipconfig.exe
- regedit.exe
- regsvr32.exe
- rundll32.exe
- verclsid.exe
- explorer.exe
API Hooking:
To get the control over the files used for process injection, malware hooks the following functions with respect to those files to avoid infected user from viewing or tempering these files. Some of the APIs hooked are:
- CopyFileA/W
- DeleteFileA/W
- NtEnumerateValueKey
- NtQueryDirectoryFile
- DnsQuery_W
- GetAddrInfoW
- HttpSendRequestA
- HttpSendRequestW
- PR_Write
- RegCreateKeyExA
- RegCreateKeyExW
- RtlAnsiStringToUnicodeString
- URLDownloadToFileA
- URLDownloadToFileW
File System Changes in Removable Drives:
This worm creates the following folders in all removable drives:
- {drive letter}:\RECYCLER
It drops the following copy(ies) of itself in all removable drives:
- {drive letter}:\RECYCLER\{random characters}.exe
Network Communications:
Malware make network connections to IRC servers to receive commands. Some of the IRC channels used the malware are:
- Lovealiy[dot]com
- av.shannen[dot]cc
- shuwhyyu[dot]com
- syegyege[dot]com
IRC nickname used by the malware is generated based on format mentioned below:
n{(country code)|(OS version)(user type)}{random string}
where , n constant
Country code 2 digit country code
OS version XP, 2K3, VIS, 2K8, W7, ERR (Error), etc
User type 'a' (administrator) or 'u' (user)
Malware connects to "api.wipmania.com", to gather infected machine information such as current IP and location.
Once remote connection is successful, then the malware is capable of performing DDOS attacks using SYN or UDP floods against target specified by the remote attacker. Also, attacker may instruct malware to restrict user from downloading specific type of files such as exe, com, pif or .scr files.
Countermeasures:
- Delete the system changes made by the malware such as files created/ registry entries /services etc.
- Monitor and block traffic generated from client machines to the domains and IP address mentioned above.
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
- Scan infected system with updated versions of Antivirus solution
- Disable Autorun and Autoplay policies.
- Use limited privilege user on the computer or allow administrative access to systems with special administrative accounts for administrators
- Limit or eliminate the use of shared or group accounts.
- Do not visit untrusted websites.
- Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
- Enforce a strong password policy and implement regular password changes.
- Enable a personal firewall on workstation.
- Install and scan anti malware engines and keep them up-to-date.
- Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
- Disable unnecessary services on agency workstations and servers.
References:
- https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm:Win32/Dorkbot.A
- https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot
- https://www.f-secure.com/v-descs/worm_w32_dorkbot.shtml
- http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_dorkbot