MSRT March 2012: breaking bad

From Botnets.fr
Jump to: navigation, search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

MSRT March 2012: breaking bad
MSRT March 2012.png
Botnet Dorkbot
Malware Hioles, Pluzoks, Yeltminky, EyeStye, Dorkbot_(bot)
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 13 Mar 2012
Editor/Conference Microsoft
Link http://blogs.technet.com/b/mmpc/archive/2012/03/13/msrt-march-2012-breaking-bad.aspx (Archive copy)
Author Rex Plantado
Type

Abstract

This month, the MMPC added Win32/Dorkbot to the Microsoft Malicious Software Removal Tool along with detections for the threats Win32/Hioles, Win32/Pluzoks and Win32/Yeltminky.

Win32/Dorkbot is described as an IRC-based botnet and a worm, a backdoor with rootkit capability and a password stealer. Despite using a very simple IRC protocol to communicate with the command and control (C&C) server, it was able to build a substantial installation base after a couple of years in operation. Some might compare Win32/Dorkbot with the infamous Win32/EyeStye due to some similarities in their behavior and advanced features.

Dorkbot implements an advanced user-level rootkit that is very similar to the hooking technique used by EyeStye. The hooking is used to hide its registry and file components from users that are not using rootkit detection software. Both threats appear to have a dedicated development team and both threats can also steal users credentials, which may include personal and banking information, via a form grabbing technique.

For an attacker, the Dorkbot malware is simpler to configure and control, less aggressive and less expensive to own than EyeStye. It also strictly uses the IRC protocol, while EyeStye is a complex botnet with a changeable communication protocol, from P2P, UDP to a custom protocol.

Bibtex

 @misc{Plantado2012BFR936,
   editor = {Microsoft},
   author = {Rex Plantado},
   title = {MSRT March 2012: breaking bad},
   date = {13},
   month = Mar,
   year = {2012},
   howpublished = {\url{http://blogs.technet.com/b/mmpc/archive/2012/03/13/msrt-march-2012-breaking-bad.aspx}},
 }