The Win32/Dorkbot infrastructure, including its command and control servers in Asia, Europe and North America were knocked out and domains associated with the botnet were seized.
In Canada, the Canadian Radio-television and Telecommunications (CRTC) announced that it served its first-ever warrant under the Canadian Anti-Spam Legislation (CASL) as part of the international takedown. The warrant was served to take down a command and control server located in Toronto.
“We are pleased to work alongside our partners during this investigation to mitigate the harm caused to Canadians and citizens in other countries by Dorkbot,” Manon Bombardier, CRTC chief compliance and enforcement officer, said in a statement. “These were very egregious botnets that are used for illicit activities and can lead to identity theft and fraud. This operation shows that partnerships between domestic and international law enforcement agencies are key in the fight against transnational cyber threats.”
Among the agencies that took part in the operation were: the CRTC, Royal Canadian Mounted Police (RCMP), Public Safety Canada and the Canadian Cyber Incident Response Centre (CCIRC), the United States Federal Bureau of Investigation, Interpol, Europol, Microsoft Inc., Slovakia-based IT security company ESET and the Polish division on the software engineering institute CERT.
ESET said it “sinkholed” the known command and control servers of the botnet. Sinkholing is a tactic used to redirect traffic from infected machines to a system under the control of a defender or researcher. Internal sinkholing is used to identify infected machines on a network and cut connections with the botnet.
Win32/Dorkbot is distributed via various channels such as social networks, spam, removable media and exploit kits, according to ESET which shared with the team its technical analysis as well as information about known command and control servers’ domains and IPs.
The company said Win32/Dorkbot has been around in different forms for several years and is still “very prevalent.”
“Once installed on a machine, Win32/Dorkbot will try to disrupt the normal operation of security software by blocking access to their update servers and will then connect to an IRC server to receive further command,” ESET said in a post on its Web site.”…Besides being a password stealer, targeting popular services such as Facebook and Twitter, Dorkbot typically installs code from one of several other malware families soon after it gains control of a given system.”
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…