Geek magazine hacker daily blog

2 years, 11 months ago
We welcome readers of the blog iCover! In December of this year the group on fight against cybercrime integrating specialists of Microsoft Cybercrime Center, the Polish bureau CERT, the ESET company, representatives of FBI, Interpol, Europol and other services Computer Emergency Response from several countries performed large-scale operation on neutralization of the botnet Win32/Dorkbot which struck computers of users from more than 200 countries of the world. In article you will find the reference to a small applet of ESET which will allow to check the computer and, if necessary, to delete a malware.


Virus analysts of ESET submitted the technical analysis of the malicious application Win32/Dorkbot from which users more than in 200 countries of the world suffered. The program for check of the computer and removal of Dorkbot at the end of article.

The malware extends mainly through social networks, sets of exploits, spam mailing in letters of e-mail and removable mediums. Being installed on the PC, Dorkbot promotes failures in work of an anti-virus software, blocks their updating, receives instructions from malefactors on the IRC protocol.

"Scales of distribution of Dorkbot, without exaggeration, purchased the menacing character. The number of users, whose computers monthly are exposed to infection with the latest version of Dorkbot at the time of carrying out operation reached 100 000". — told Tangmai Gangacharya (Tanmay Ganacharya), the chief research supervisor of Malware Microsoft Protection Center (MMPC).

The malware steals passwords from services of Facebook and Twitter, installation of other malicious software is promoted, in particular by software for carrying out DDoS-attacks — Win32/Kasidet and spam bot of Win32/Lethic. Very considerable number of samples of Dorkbot was revealed on removable mediums.

Specialists found out that at start of a dropper of Dorkbot from the USB carrier the malware tries to load a principal component of a malicious application from a remote server. And the address of the server is sewn up in the performed file of a dropper. After loading the code of the file performs the Win32/Dorkbot.L file — a wrapper for installation of a principal component Win32/Dorkbot.B.

Win32/Dorkbot.B, in turn, is responsible for interaction with a remote server on IRC. The wrapper of Win32/Dorkbot.L intercepts the DnsQuery API-function at a principal component. Such method to some extent complicates detection of original managing servers of malefactors.

Upon installation the bot tries to be connected to IRC – the server and receives commands from the operators on the fixed channel. Most often Dorkbot transfers commands for loading and execution of new malicious software. "After the device is infected, the malicious application literally communicates with criminals and waits from them for instructions on what from it will be required," — Richard Boshkovich, the assistant to the general counsel on digital crimes in Microsoft (DCU) told. "Millions of machines, quantity of ping between these infected devices and servers providing them instructions just are infected stuns. We can sometimes speak about billions of ping day".

For suppression of activity of Dorkbot specialists from the center for fight against cybercrime of Microsoft Cybercrime Center used analytical software, working in "cloud", every second processing huge information volumes and allowing to visualize process of distribution of threats. By results of the program analysis specialists came to an unfavourable conclusion: speed of distribution of an infection appeared twice more, than they assumed. The coordinated blow to a virus was struck in December of this year.

Servers through whom the malicious software extended were switched physically-off. After blocking of primary servers the traffic of a botnet was redirected on the protected servers under control of Microsoft that allowed to identify the infected computers, to notify their users and to instruct on algorithm of neutralization of a virus and further measures for counteraction to infection.

Use of a cloud technology of Microsoft Azure allowed to provide necessary computational capability. The data obtained in the course of research of a botnet, in turn, gave the chance to take some measures for increase of level of protection of the Azure Active Directory Premium service. This service provides IT — to administrators up-to-date information for providing the required security level, informs them on attempts of the infected devices to be connected to a corporate network and allows to be protected from large-scale attacks.

As well as Microsoft, virus laboratories ESET almost daily receive the modified malware samples from users. For check of the computer on presence of Dorkbot and its subsequent removal of ESET suggests to use a small free applet of Dorkbot Cleaner which can be downloaded here. After downloading of the program scanning, as a rule, takes less than a minute.

Learn more

Dear readers, we always with pleasure meet and we wait for you on pages of our blog. We are ready to share further with you the latest news, review articles and other publications and we will try to do everything possible in order that time spent with us was for you useful. And, of course, do not forget to subscribe for our headings.

Специальная подборка Новогодних подарков от iCover

Other our articles and events

This article is a translation of the original post at
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here:

We believe that the knowledge, which is available at the most popular Russian IT blog, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.