Infections of the botnet
went through Win32 / Dorkbot variants, which total more than one million
systems in 190 countries infected. Microsoft was already since 2011 to monitor
the development of Dorkbot. Not quite clear why the large-scale action is taken
now, but Microsoft claims or in the past six months 100 000 new infections have
been observed, so it is possible the fear of further growth to blame for the
action. The campaign included Europol, Interpol, the FBI, ESET, Canadian,
Albanian and Montenegrin authorities and the Polish and American CERT involved.
The action was directed
against the infrastructure of Dorkbot. It is not clear whether arrests have
been made and how big the blow is inflicted. Probably command & control servers
had taken offline. It is difficult to get botnets completely offline, typically
the possibility remains that it is revived.
Dorkbot was particularly
active in Indonesia, India and Malaysia, although the heatmap Microsoft also
many detections in Europe, shows the US and Brazil. Infections occur through
NgrBot who can purchase attackers through underground forums. The kit includes
software and documentation on how to deploy the malware is. Communication and
file distribution between the management server and the infected systems is via
irc.
Most AV suites detect
Dorkbot malware now. Microsoft recommends caution when opening emails and
instant messages from strangers, not just software of any sites other than that
of the developer, download and run regular anti-malware software to prevent
infection.
No comments