Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

CRTC, RCMP, white hats knock out Dorkbot botnet

CRTC, RCMP, white hats knock out Dorkbot botnet 

The Win32/Dorkbot infrastructure, including its command and control servers in Asia, Europe and North America were knocked out and domains associated with the botnet were seized.

In Canada, the Canadian Radio-television and Telecommunications (CRTC) announced that it served its first-ever warrant under the Canadian Anti-Spam Legislation (CASL) as part of the international takedown. The warrant was served to take down a command and control server located in Toronto.


Dealing with denial

RCMP to build cybercrime unit

 “We are pleased to work alongside our partners during this investigation to mitigate the harm caused to Canadians and citizens in other countries by Dorkbot,” Manon Bombardier, CRTC chief compliance and enforcement officer, said in a statement. “These were very egregious botnets that are used for illicit activities and can lead to identity theft and fraud. This operation shows that partnerships between domestic and international law enforcement agencies are key in the fight against transnational cyber threats.”

Among the agencies that took part in the operation were: the CRTC, Royal Canadian Mounted Police (RCMP), Public Safety Canada and the Canadian Cyber Incident Response Centre (CCIRC), the United States Federal Bureau of Investigation, Interpol, Europol, Microsoft Inc., Slovakia-based IT security company ESET and the Polish division on the software engineering institute CERT.

ESET said it “sinkholed” the known command and control servers of the botnet. Sinkholing is a tactic used to redirect traffic from infected machines to a system under the control of a defender or researcher. Internal sinkholing is used to identify infected machines on a network and cut connections with the botnet.

Win32/Dorkbot is distributed via various channels such as social networks, spam, removable media and exploit kits, according to ESET which shared with the team its technical analysis as well as information about known command and control servers’ domains and IPs.

The company said Win32/Dorkbot has been around in different forms for several years and is still “very prevalent.”

 “Once installed on a machine, Win32/Dorkbot will try to disrupt the normal operation of security software by blocking access to their update servers and will then connect to an IRC server to receive further command,” ESET said in a post on its Web site.”…Besides being a password stealer, targeting popular services such as Facebook and Twitter, Dorkbot typically installs code from one of several other malware families soon after it gains control of a given system.”

Related posts