Hieronymus Ukkel - Fotolia
An international operation involving law enforcement organisations, government cyber security teams and private organisations has targeted the Dorkbot botnet.
Europol, Interpol, the US department of homeland security, the US National Cyber Investigative Joint Taskforce and the FBI partnered with Microsoft and other private sector organisations to disrupt the Dorkbot infrastructure, including command and control servers in Asia, Europe, and North America. This included seizing domains to disrupt the botnet operators’ capacity to control their victims’ computers.
Disruptive action has been pioneered by Microsoft, which is one of several private sector businesses that took part in the operation.
The UK’s National Crime Agency’s cyber crime unit has indicated that collaboration with private sector companies is one of its key strategies to tapping into the skills and resources vital to international cyber crime fighting.
Win 32 Dorkbot is one of the world’s most widespread malware families and is thought to have infected millions of computers in 190 countries since 2011.
Commonly spread via USB flash drives, instant messaging and social networks, Dorkbot causes damage by opening a backdoor on the infected computer, allowing for remote access and potentially turning it into a botnet.
Once installed on a computer, the Dorkbot malware tries to disrupt the normal operation of security software by blocking access to its update servers and will then connect to an internet relay chat (IRC) server to receive further commands, said Jean-Ian Boutin, a malware researcher at security firm Eset, which took part in the operation.
“Eset shared technical analyses and statistical information about the malware and provided the domains and internet addresses of the botnet’s command and control servers,” he said.
Read more about collaboration between business and law enforcement
Besides being a password stealer targeting popular services such as Facebook and Twitter, Dorkbot typically installs code from one of several other malware families soon after it gains control of a given system.
“As we’ve seen thousands of detections every week coming from almost all parts of the world and there are fresh samples arriving daily, Dorkbot seemed like a viable target for a disruption effort,” added Boutin.
Wil van Gemert, Europol's deputy director operations, said: “Botnets like Dorkbot have victimised users worldwide, which is why a global law enforcement team approach working with the private sector is so important.”
According to Van Gemert, the one positive thing to come from cyber crime is that is bringing more law enforcement organisations together.“We are moving from bi-lateral co-operation into an era of multi-lateral co-operation in law enforcement to get a much broader picture of what is going on,” he said.
To detect and remove this threat and other malicious software, Europol’s European Cyber Crime Centre (EC3) said internet users should run a full-system scan using up-to-date security software.
EC3 also recommends using and maintaining antivirus software, changing passwords, keeping all software up to date, and using tools to identify and remove malware.