U.S. Department of Homeland Security US-CERT   
      
   National Cyber Awareness System:   
      
   TA15-337A: Dorkbot   
   12/03/2015 06:40 PM EST   
      
      
   Original release date: December 03, 2015   
      
   Systems Affected   
   Microsoft Windows   
      
   Overview   
   Dorkbot is a botnet used to steal online payment, participate in distributed   
   denial-of-service (DDoS) attacks, and deliver other types of malware to   
   victims’ computers. According to Microsoft, the family of malware used in this   
   botnet “has infected more than one million personal computers in over 190   
   countries over the course of the past year.” The United States Department of   
   Homeland Security (DHS), in collaboration with the Federal Bureau of   
   Investigation (FBI) and Microsoft, is releasing this Technical Alert to   
   provide further information about Dorkbot.   
      
   Description   
   Dorkbot-infected systems are used by cyber criminals to steal sensitive   
   information (such as user account credentials), launch denial-of-service (DoS)   
   attacks, disable security protection, and distribute several malware variants   
   to victims’ computers. Dorkbot is commonly spread via malicious links sent   
   through social networks instant message programs or through infected USB   
   devices.   
      
   In addition, Dorkbot’s backdoor functionality allows a remote attacker to   
   exploit infected system. According to Microsoft’s analysis, a remote attacker   
   may be able to:   
      
   Download and run a file from a specified URL;   
   Collect logon information and passwords through form grabbing, FTP, POP3, or   
   Internet Explorer and Firefox cached login details; or   
   Block or redirect certain domains and websites (e.g., security sites).   
   Impact   
   A system infected with Dorkbot may be used to send spam, participate in DDoS   
   attacks, or harvest users' credentials for online services, including banking   
   services.   
      
   Solution   
   Users are advised to take the following actions to remediate Dorkbot   
   infections:   
      
   Use and maintain anti-virus software – Anti-virus software recognizes and   
   protects your computer against most known viruses. Even though Dorkbot is   
   designed to evade detection, security companies are continuously updating   
   their software to counter these advanced threats. Therefore, it is important   
   to keep your anti-virus software up-to-date. If you suspect you may be a   
   victim of Dorkbot, update your anti-virus software definitions and run a   
   full-system scan. (See Understanding Anti-Virus Software for more information.)   
   Change your passwords – Your original passwords may have been compromised   
   during the infection, so you should change them. (See Choosing and Protecting   
   Passwords for more information.)   
   Keep your operating system and application software up-to-date – Install   
   software patches so that attackers cannot take advantage of known problems or   
   vulnerabilities. You should enable automatic updates of the operating system   
   if this option is available. (See Understanding Patches for more information.)   
   Use anti-malware tools – Using a legitimate program that identifies and   
   removes malware can help eliminate an infection. Users can consider employing   
   a remediation tool (see example below) to help remove Dorkbot from their   
   systems.    
   Disable Autorun­ – Dorkbot tries to use the Windows Autorun function to   
   propagate via removable drives (e.g., USB flash drive). You can disable   
   Autorun to stop the threat from spreading.   
   Microsoft   
   http://www.microsoft.com/security/scanner/en-us/default.aspx   
      
   The above example does not constitute an exhaustive list. The U.S. Government   
   does not endorse or support any particular product or vendor.   
      
   References   
   Microsoft Malware Protection Center – Worm: Win32/Dorkbot   
   Microsoft Malware Protection Center – Microsoft assists law enforcement to   
   help disrupt Dorkbot botnets   
   Revision History   
   December 3, 2015: Initial Publication   
      
   ----------------------------------------------------------------   
   -------------- -   
      
   This product is provided subject to this Notification and this Privacy & Use   
   policy.   
      
      
   ----------------------------------------------------------------   
   -------------- -   
   A copy of this publication is available at www.us-cert.gov. If you need help   
   or have questions, please send an email to info@us-cert.gov. Do not reply to   
   this message since this email was sent from a notification-only address that   
   is not monitored. To ensure you receive future US-CERT products, please add   
   US-CERT@ncas.us-cert.gov to your address book.   
   OTHER RESOURCES:   
   Contact Us | Security Publications | Alerts and Tips | Related Resources   
   STAY CONNECTED:   
   Sign up for email updates   
      
   SUBSCRIBER SERVICES:   
   Manage Preferences  |  Unsubscribe  |  Help   
      
      
   ----------------------------------------------------------------   
   -------------- -   
   This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf   
   of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray   
   Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 Powered by GovDelivery   
      
   === Cut ===   
      
      
   --   
   Guardien Fide   :^)   
      
      Ben  aka cMech  Web: http://cmech.dynip.com   
                    Email: fido4cmech(at)lusfiber.net   
                 Home page: http://cmech.dynip.com/homepage/   
              WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1   
      
   --- GoldED+/W32-MSVC   
    * Origin: FIDONet - The Positronium Repository (1:393/68)