New Dorkbot variant targeting skype users
Dell SonicWALL Threats Research team came across a new variant of the Dorkbot worm specifically targeting Skype users. Dorkbot also known as Ngrbot is known to spread through instant messengers, social networking websites, and removable drives. However, this is the first instance we saw that targets Skype users as well by hooking to Skype APIs.
The malware executable is named as Skype_(Date)_(img or foto).exe and uses Skype's official icons for disguise as seen below:
- The new variant when executed, drops a copy of itself in the user's Application Data directory and also modifies registry to ensure that it runs on system reboot:
- Dropped File - (Application Data)Whzkzg.exe (copy of itself)
- Registry - HKCUSoftwareMicrosoftWindowsCurrentVersionRunWhzkzg: "%AppData%Whzkzg.exe"
- Connects to api.wipmania.com to determine the public IP address of the infected system.
- It was found to be actively sending out Skype IMs to the infected user's Skype contacts. The message is sent in local default language of the infected system and consists of a shortened URL that leads to the download of the Skype Dorkbot variant as seen below:
- It is also capable of spreading via MSN Messenger, removable drives, and various social networking sites by posting comments. Below is the list of propagation vectors:
- The Dorkbot variant we analyzed connects to one of the following domains on TCP port 1863:
It also contains a hardcoded command and control IP address: 126.96.36.199 that it connects on TCP port 1863 if the above mentioned domains fail to resolve.
- Dorkbot is also known to download and install other malware family payloads as part of Pay Per Install scheme where the author gets paid for every successful install. In our analysis we found that the sample downloaded two different payloads from the file sharing service hotfile.com:
- hotfile.com/dl/1765672(REMOVED).html -> (Application Data)4C.exe [Backdoor Trojan detected as GAV: Simda.FFK (Trojan)]
- hotfile.com/dl/1765679(REMOVED).html -> (Application Data)4D.exe [Ransomware detected as GAV: PornoAsset.ANHR (Trojan)]
It utilizes the Ruskill feature to install these downloaded malware files, which is known to keep track of system file and registry changes. The Ruskill feature also ensures that these files are removed upon system reboot.
- It also contains modules for ftpgrab, formgrab, popgrab, and HTML injection, which are used in monitoring following URLs to steal user credentials:
- The bot is also capable of performing DDoS attacks via following three modules:
- slowloris flood
- UDP flood
- SYN flood
Statistics of clicks registered for the shortened malicious URL (courtesy Google) shows that it has received more than 200,000 visits in past one month:
Dell SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:
- GAV: Dorkbot.SKP (Trojan)
- GAV: Dorkbot.SKP_2 (Trojan)