Dorkbot botnets disruption

Date of publication: 04/12/2015, CERT Polska

CERT Polska has partnered together with Microsoft, ESET and law enforcement agencies including US-CERT/DHS, FBI, Interpol and Europol in activities aimed at disrupting of the Dorkbot malware family. This disruption – which includes sinkholing of the botnet’s infrastructure – took place yesterday. Dorkbot is a well-known family of malware, operating somewhat under the radar since 2011. Its main objective is to steal data (including credentials), disable security applications (such as antivirus programs), and to distribute other types of malware. According to early estimates, Dorkbot has infected at least one million PCs running Windows worldwide last year, with an average monthly infection size of about 100,000 machines. Polish users were among the targets.

What was our role?

It is worth noting that in the past, part of the infrastructure used to manage Dorkbot was located in Poland. Our main role in the disruption was to provide analytics related to the way the botnet functioned and data on existing botnets.

What do we know about Dorkbot?

Our first encounter with Dorkbot on a larger scale took place in the autumn of 2012, when the malware began to propagate via Skype among Polish users. In addition to instant messaging, Dorkbot also propagated through social networking and USB media. We performed a thorough analysis of this threat and disrupted the botnet through a sinkholing operation, which included taking over some .pl domains used to manage it. Dorkbot domains were linked to the Domain Silver rogue registrar whose domains we took over in mid-2013.

While the structure of this botnet family based on the IRC protocol – viewed from today’s perspective – is not complicated, Dorkbot has been lurking under the radar of the incident response community since that time. The main danger related to the botnet, as we see it, lies in it acting as a dropper for other threats. This is a common business model and similar to other threats we have neutralized, for example a very large Polish-authored botnet called Virut.

As of today, according to our estimates, the scale of infection in Poland is relatively low. Regardless of the situation in Poland, we believe that by taking part in such disruption activities we improve the safety of all Internet users and act proactively to reduce the danger posed by the threat to Polish users in the future. Estimating the true scale of the infection will be possible only after collecting data from sinkholes.

Where can I learn more about Dorkbot and how to remove it from my computer?

Microsoft MMPC, who has lead this initiative, has provided a more detailed blog entry on the Dorkbot threat, including statistical information.

Detection and removal of this threat has been added to the Microsoft Malicious Software Removal Tool. ESET has also published a Dorkbot Cleaner tool.

The international consortium aimed at disrupting the Dorkbot activity was organized under the Microsoft Common Malware Eradication (CME) programme.