Dorkbot (malware)
Dorkbot is a family of malware worms that spreads through instant messaging, USB drives, websites or social media channels like Facebook.
Functionality
Dorkbot’s backdoor functionality allows a remote attacker to exploit infected system. According to an analysis by Microsoft, a remote attacker may be able to:[1]
- Download and run a file from a specified URL;
- Collect logon information and passwords through form grabbing, FTP, POP3, or Internet Explorer and Firefox cached login details; or
- Block or redirect certain domains and websites (e.g., security sites).
Impact
A system infected with Dorkbot may be used to send spam, participate in DDoS attacks, or harvest users' credentials for online services, including banking services.[1]
Prevalence
Between May and December of 2015, the Microsoft Malware Protection Center detected Dorkbot on an average of 100,000 infected machines each month.[2]
History
On December 7th, 2015 the FBI and Microsoft in a joint task forced took down the Dorkbot Botnet. [3]
Remediation
In 2015, the U.S. Department of Homeland Security advised the following action to remediate Dorkbot infections:[1]
- Use and maintain anti-virus software
- Change your passwords
- Keep your operating system and application software up-to-date
- Use anti-malware tools
- Disable AutoRun
References
- 1 2 3 "TA15-337A: Dorkbot". National Cyber Awareness System:, U.S. Department of Homeland Security. December 3, 2015.
- ↑ "Microsoft assists law enforcement to help disrupt Dorkbot botnets". Microsoft Malware Protection Center. December 3, 2015.
- ↑ "FBI, Microsoft and Computer Emergency Response Team Polska Takes Down Global DorkBot Malware Botnet". Geek Inspector. December 7, 2015.