Dorkbot

Original Issue Date:- January 22, 2016

Virus Type:- Worm

Severity:- High

It has been observed that the variants of malware named as, “dorkbot”, targeting windows operating systems are spreading. The malware belongs to the family of worms having backdoor functionality and spreads through various vectors including drive-by-download attacks, social networking sites, and compromised websites with browser exploits, via removable drives in the form of autorun exploits or by means of malicious links in instant messaging chats (MSN, pidgin chat, Xchat) or IRC chats.

The malware is capable of performing the following functions:

Steals sensitive information from infected machine including stored passwords, browser data, cookies etc.
Capable of installing other malicious binaries to take complete control of the affected system
Make use of process injection or overwrite genuine windows files to hide itself.
Intercept browsers and launch man-in-the-middle attacks by hooking various APIs within Firefox and IE.
Collects system information such as OS information, User privileges, apps installed on system.
Make network connections or join IRC chats to execute commands issued by the attacker.
Gives remote access of the infected machine to attacker.
Block access to some websites based on the strings in their domain names especially antivirus vendor’s websites.
Capable of injecting iframes in the html file found on the victim’s machine.
Launch DDOS attacks (SYN, UDP, SlowLoris flood)
Capable of updating or uninstalling itself.

Aliases: BDS/Backdoor.Gen[AntiVir], Win32:Ruskill-EG[Avast], Worm/Generic2.ASJP[AVG], Worm.Dorkbot.A [BitDefender], Worm.Dorkbot.A [Emsisoft ], Win32/Dorkbot.B [ESET], worm.Win32.Ngrbot.byu [Kaspersky], W32/IRCbot.gen.ax [McAfee] , Worm:Win32/Dorkbot.A [Microsoft] , Dorkbot.U [Norman], W32/Lolbot.R.worm [Panda] , W32.IRCBot.NG [Symantec], worm_DORKBOT [TrendMicro].

Indicators of Infection

File system Changes:

Malware may arrive on the victim’s machine with the following names:

facebook-profile-pic--JPEG.exe
facebook-pic00.exe
skype__foto.exe , where is the day, ,month, and year, for example, "skype_06102012_foto.exe"
skype__foto.exe , where is the day, ,month, and year, for example, "skype_09-10-2012_image.exe"

During installations, malware makes a copy of itself in following locations:
Location: %Appdata%
Filename: .exe based on HDD serial number e.g.

Registry changes:

Malware make registry entry for itself to execute itself at every system reboot. The Registry entry make by the malware is as follows:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ozkqke"
With data: "%appdata%\ozkqke.exe"

Code injection:
To hide itself from detecting by antivirus solutions, malware injects its code in the following files:

cmd.exe
ipconfig.exe
regedit.exe
regsvr32.exe
rundll32.exe
verclsid.exe
explorer.exe

API Hooking:
To get the control over the files used for process injection, malware hooks the following functions with respect to those files to avoid infected user from viewing or tempering these files. Some of the APIs hooked are:

CopyFileA/W
DeleteFileA/W
NtEnumerateValueKey
NtQueryDirectoryFile
DnsQuery_W
GetAddrInfoW
HttpSendRequestA
HttpSendRequestW
PR_Write
RegCreateKeyExA
RegCreateKeyExW
RtlAnsiStringToUnicodeString
URLDownloadToFileA
URLDownloadToFileW

File System Changes in Removable Drives:
This worm creates the following folders in all removable drives:

{drive letter}:\RECYCLER

It drops the following copy(ies) of itself in all removable drives:

{drive letter}:\RECYCLER\{random characters}.exe

Network Communications:
Malware make network connections to IRC servers to receive commands. Some of the IRC channels used the malware are:

Lovealiy[dot]com
av.shannen[dot]cc
shuwhyyu[dot]com
syegyege[dot]com

IRC nickname used by the malware is generated based on format mentioned below:
n{(country code)|(OS version)(user type)}{random string}
where , n constant
Country code 2 digit country code
OS version XP, 2K3, VIS, 2K8, W7, ERR (Error), etc
User type 'a' (administrator) or 'u' (user)

Malware connects to "api.wipmania.com", to gather infected machine information such as current IP and location.

Once remote connection is successful, then the malware is capable of performing DDOS attacks using SYN or UDP floods against target specified by the remote attacker. Also, attacker may instruct malware to restrict user from downloading specific type of files such as exe, com, pif or .scr files.

Countermeasures:

Delete the system changes made by the malware such as files created/ registry entries /services etc.
Monitor and block traffic generated from client machines to the domains and IP address mentioned above.
Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
Scan infected system with updated versions of Antivirus solution
Disable Autorun and Autoplay policies.
Use limited privilege user on the computer or allow administrative access to systems with special administrative accounts for administrators
Limit or eliminate the use of shared or group accounts.
Do not visit untrusted websites.
Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
Enforce a strong password policy and implement regular password changes.
Enable a personal firewall on workstation.
Install and scan anti malware engines and keep them up-to-date.
Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
Disable unnecessary services on agency workstations and servers.

References: