New Dorkbot adds suite of new features
The SonicWALL Threat Research team discovered a new variant of the Dorkbot Trojan (also known as NGRBot). This Trojan was covered in a previous Sonicalert where it was targeting Skype users. The features in this variant are similar to the previous variant with the exception of spreading via Skype.
The sample we analysed makes no changes to the file system or windows registry. It does however have the ability to do that by downloading further payloads as we have seen in previous variants.
The Trojan uses the following icon:
The Trojan makes the following DNS requests:
Upon execution the Trojan injects code into the current running instance of explorer.exe [Detected as GAV: Dorkbot.B_67 (Trojan)]:
The Trojan determines its IP address by making a request to wipmania.com. It then proceeds to join channel #main on a private IRC server. The IRC server does not allow various commands such as channel and user listing:
It also downloads a text file from a remote webserver containing a list of subdomains of a banking website. This list can be either for DDoS attacks or bank site redirection via editing the hosts file:
The Bots idle on IRC awaiting further instructions from its operators. They are given names according to geographical location and operating system version.
During analysis we discovered that the Trojan contains a suite of malicious capabilities. The malicious modules can be utilized by issuing commands via the IRC channel that the bot has joined. The modules are listed as follows:
- UDP/SYN Flood
- Visit HTTP URL (for Pay-per-click schemes)
- Log into and download files from FTP and POP3 email servers
- Update bot/download file from remote webserver with MD5 verification
- Execute file on system
- Start a Socks4 proxy server
- Spread via MSN Messenger Service
- Spread via connected USB drives
At the time of analysis it was determined that the botnet operators are actively monitoring connections to their IRC server. We were promptly banned from the IRC server due to performing activity not conforming to the bots typical behavior.
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Ruskill.QCE (Trojan)
- GAV: Dorkbot.B_67 (Trojan)