U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:
TA15-337A: Dorkbot
12/03/2015 06:40 PM EST
Original release date: December 03, 2015
Systems Affected
Microsoft Windows
Overview
Dorkbot is a botnet used to steal online payment, participate in distributed
denial-of-service (DDoS) attacks, and deliver other types of malware to
victimsÆ computers. According to Microsoft, the family of malware used in this
botnet ôhas infected more than one million personal computers in over 190
countries over the course of the past year.ö The United States Department of
Homeland Security (DHS), in collaboration with the Federal Bureau of
Investigation (FBI) and Microsoft, is releasing this Technical Alert to provide
further information about Dorkbot.
Description
Dorkbot-infected systems are used by cyber criminals to steal sensitive
information (such as user account credentials), launch denial-of-service (DoS)
attacks, disable security protection, and distribute several malware variants
to victimsÆ computers. Dorkbot is commonly spread via malicious links sent
through social networks instant message programs or through infected USB
devices.
In addition, DorkbotÆs backdoor functionality allows a remote attacker to
exploit infected system. According to MicrosoftÆs analysis, a remote attacker
may be able to:
Download and run a file from a specified URL;
Collect logon information and passwords through form grabbing, FTP, POP3, or
Internet Explorer and Firefox cached login details; or
Block or redirect certain domains and websites (e.g., security sites).
Impact
A system infected with Dorkbot may be used to send spam, participate in DDoS
attacks, or harvest users' credentials for online services, including banking
services.
Solution
Users are advised to take the following actions to remediate Dorkbot
infections:
Use and maintain anti-virus software û Anti-virus software recognizes and
protects your computer against most known viruses. Even though Dorkbot is
designed to evade detection, security companies are continuously updating their
software to counter these advanced threats. Therefore, it is important to keep
your anti-virus software up-to-date. If you suspect you may be a victim of
Dorkbot, update your anti-virus software definitions and run a full-system
scan. (See Understanding Anti-Virus Software for more information.)
Change your passwords û Your original passwords may have been compromised
during the infection, so you should change them. (See Choosing and Protecting
Passwords for more information.)
Keep your operating system and application software up-to-date û Install
software patches so that attackers cannot take advantage of known problems or
vulnerabilities. You should enable automatic updates of the operating system if
this option is available. (See Understanding Patches for more information.)
Use anti-malware tools û Using a legitimate program that identifies and removes
malware can help eliminate an infection. Users can consider employing a
remediation tool (see example below) to help remove Dorkbot from their systems.
Disable Autorun¡ û Dorkbot tries to use the Windows Autorun function to
propagate via removable drives (e.g., USB flash drive). You can disable Autorun
to stop the threat from spreading.
Microsoft
http://www.microsoft.com/security/scanner/en-...
The above example does not constitute an exhaustive list. The U.S. Government
does not endorse or support any particular product or vendor.
References
Microsoft Malware Protection Center û Worm: Win32/Dorkbot
Microsoft Malware Protection Center û Microsoft assists law enforcement to help
disrupt Dorkbot botnets
Revision History
December 3, 2015: Initial Publication
-------------------------------------------------------------------------------
-
This product is provided subject to this Notification and this Privacy & Use
policy.
-------------------------------------------------------------------------------
-
A copy of this publication is available at www.us-cert.gov. If you need help or
have questions, please send an email to info@us-cert.gov. Do not reply to this
message since this email was sent from a notification-only address that is not
monitored. To ensure you receive future US-CERT products, please add
US-CERT@ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates
SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help
-------------------------------------------------------------------------------
-
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf of:
United States Computer Emergency Readiness Team (US-CERT) ╖ 245 Murray Lane SW
Bldg 410 ╖ Washington, DC 20598 ╖ (888) 282-0870 Powered by GovDelivery
=== Cut ===
--
Guardien Fide :^)
Ben aka cMech Web: http://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://cmech.dynip.com/homepage/
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1
--- GoldED+/W32-MSVC
* Origin: FIDONet - The Positronium Repository (1:393/68)
|
Anti-Virus Discussion & News... 
