Dorkbot is a family of

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

worms The World Register of Marine Species (WoRMS) is a taxonomic database that aims to provide an authoritative and comprehensive catalogue and list of names of marine organisms. Content The content of the registry is edited and maintained by scien ...

that spreads through

instant messaging Instant messaging (IM) technology is a type of synchronous computer-mediated communication involving the immediate ( real-time) transmission of messages between two or more parties over the Internet or another computer network. Originally involv ...

, USB drives,

website A website (also written as a web site) is any web page whose content is identified by a common domain name and is published on at least one web server. Websites are typically dedicated to a particular topic or purpose, such as news, educatio ...

s or

social media Social media are interactive technologies that facilitate the Content creation, creation, information exchange, sharing and news aggregator, aggregation of Content (media), content (such as ideas, interests, and other forms of expression) amongs ...

channels like

Facebook Facebook is a social media and social networking service owned by the American technology conglomerate Meta Platforms, Meta. Created in 2004 by Mark Zuckerberg with four other Harvard College students and roommates, Eduardo Saverin, Andre ...

. ''Code Shikara'' is a

computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will ...

, related to the Dorkbot family, that attacks through social engineering. Particularly prevalent in 2015, Dorkbot-infected systems were variously used to send

spam Spam most often refers to: * Spam (food), a consumer brand product of canned processed pork of the Hormel Foods Corporation * Spamming, unsolicited or undesired electronic messages ** Email spam, unsolicited, undesired, or illegal email messages ...

, participate in

DDoS attacks In computing, a denial-of-service attack (DoS attack) is a cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conne ...

, or harvest users' credentials.

Functionality

Dorkbot’s backdoor functionality allows a remote attacker to exploit infected systems. According to an analysis by

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

and

Check Point Research Check or cheque, may refer to: Places * Check, Virginia Arts, entertainment, and media * ''Check'' (film), a 2021 Indian Telugu-language film * "The Check" (''The Amazing World of Gumball''), a 2015 episode of ''The Amazing World of Gumball'' ...

, a remote attacker may be able to: *Download and run a file from a specified URL; *Collect login information and passwords through form grabbing, FTP, POP3, or Internet Explorer and Firefox cached login details; or *Block or redirect certain domains and websites (e.g., security sites).

Impact

A system infected with Dorkbot may be used to send

, participate in

, or harvest users' credentials for online services, including banking services.

Prevalence

Between May and December 2015, the Microsoft Malware Protection Center detected Dorkbot on an average of 100,000 infected machines each month.

Remediation

In 2015, the

U.S. Department of Homeland Security The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior, home, or public security ministries in other countries. Its missions involv ...

advised the following action to remediate Dorkbot infections: *Use and maintain anti-virus software *Change your passwords *Keep your operating system and application software up-to-date *Use anti-malware tools *Disable AutoRun

History

In 2011, Code Shikara was first identified by the Danish

cyber security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and networks from thr ...

company CSIS. The AV-company

Sophos Sophos Limited is a British security software and hardware company. It develops and markets managed security services and cybersecurity software and hardware, such as managed detection and response, incident response and endpoint security s ...

reported in November 2011 that this threat mainly spreads itself through malicious links through the social network

. In 2013,

Bitdefender Labs Bitdefender is a multinational cybersecurity technology company dual-headquartered in Bucharest, Romania and Santa Clara, California, with offices in the United States, Europe, Australia and the Middle East. The company was founded in 2001 by c ...

caught and blocked the worm, which is capable of

spying Espionage, spying, or intelligence gathering, as a subfield of the intelligence field, is the act of obtaining secret or Confidentiality, confidential information (Intelligence (information), intelligence). A person who commits espionage on ...

on users' browsing activities, meanwhile stealing their personal online/offline information and/or credentials, commonly known as

cybercrime Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or Computer network, networks. It has been variously defined as "a crime committed on a computer network, especially the Internet"; Cyberc ...

. The

infection An infection is the invasion of tissue (biology), tissues by pathogens, their multiplication, and the reaction of host (biology), host tissues to the infectious agent and the toxins they produce. An infectious disease, also known as a transmis ...

was originally flagged by the

online backup service A remote, online, or managed backup service, sometimes marketed as cloud backup or backup-as-a-service, is a service that provides users with a system for the backup, storage, and recovery of computer files. Online backup providers are companies ...

MediaFire MediaFire is a file hosting, file synchronization, and cloud storage service based in Shenandoah, Texas, United States. Founded in June 2006 by Derek Labian and Tom Langridge, the company provides client software for Microsoft Windows, macOS ...

, who detected that the worm was being distributed camouflaged as an

image file An image file format is a file format for a digital image. There are many formats that can be used, such as JPEG, PNG, and GIF. Most formats up until 2022 were for storing 2D images, not 3D ones. The data stored in an image file format may be c ...

. Despite the misleading extension, MediaFire successfully identified the malicious image as an .exe-file. The malicious Shikara Code poses as a .jpeg image, but is indeed an

executable file In computer science, executable code, an executable file, or an executable program, sometimes simply referred to as an executable or binary, causes a computer "to perform indicated tasks according to encoded instructions", as opposed to a da ...

. As an

IRC bot 409px, An IRC bot performing a simple task.An IRC bot is a set of scripts or an independent program that connects to Internet Relay Chat as a client, and so appears to other IRC users as another user. An IRC bot differs from a regular client in ...

, the malware is simply integrated by the attackers from a control and command server. Besides stealing usernames and passwords, the bot herder may also order additional malware downloads. MediaFire had then taken steps to address incorrect and misleading file extensions in an update, which identified and displayed a short description by identifying specific file types. To help users for this specific threat, the

file sharing File sharing is the practice of distributing or providing access to digital media, such as computer programs, multimedia (audio, images and video), documents or electronic books. Common methods of storage, transmission and dispersion include ...

service also blocked files with double extensions, such as .jpg.exe, .png.exe, or .bmp.exe. Just like usual malware, the Backdoor.IRCBot.Dorkbot can update itself once installed on the victim's computer or other related

devices A device is usually a constructed tool. Device may also refer to: Technology Computing, electronics, mechanisms and telecommunication * Appliance, a device for a particular task * Computer, a computing device * Device file, an interface of a pe ...

. The biggest risk is that someone's Facebook contacts may have had their account already compromised (due to sloppy password security, or granting access to a rogue application) and that the account user has been allured by clicking on a link seemingly posted by one of their friends. Although the links pretend to point to an image, the truth is that a malicious

screensaver A screensaver (or screen saver) is a computer program that blanks the display screen or fills it with moving images or patterns when the computer has been idle for a designated time. The original purpose of screensavers was to prevent phosphor s ...

is hidden behind an icon of two blonde women. After the code is launched, it attempts to download further malicious software hosted on a specific compromised Israeli domain. The malware is currently not present on the Israeli website. All that remains is a message, seemingly from the intruders, that says: :::::::::::::::::::Hacked By ExpLodeMaSTer & By Ufuq It is likely that they are using additional or other websites in continuing spreading their cyberattack(s). Some other popular baits tricking users to click on malicious links include

Rihanna Robyn Rihanna Fenty ( ; born February 20, 1988) is a Barbadian singer, businesswoman, and actress. One of the List of music artists by net worth, wealthiest musicians in the world, List of awards and nominations received by Rihanna, her vario ...

Taylor Swift Taylor Alison Swift (born December 13, 1989) is an American singer-songwriter. Known for her autobiographical songwriting, artistic versatility, and Cultural impact of Taylor Swift, cultural impact, Swift is one of the Best selling artists, w ...

sex tape Amateur pornography is a category of pornography that features models, actors or non-professionals performing without pay, or actors for whom this material is not their only paid modeling work. Reality pornography is professionally made pornogra ...

s. On December 7, 2015, the FBI and Microsoft in a joint task force took down the Dorkbot Botnet.

References

{{reflist

External links

Alert (TA15-337A) @ United States Computer Emergency Readiness Team
(''

'')
Technical information @ MicrosoftMicrosoft assists law enforcement to help disrupt Dorkbot botnets @ technet.microsoft.com
Botnets Exploit-based worms