Archive

Archive for the ‘botnet’ Category

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)

December 4th, 2017 No comments

Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet.

The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.

Our analysis of more than 44,000 malware samples uncovered Gamarues sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:

  • 1,214 domains and IP addresses of the botnets command and control servers
  • 464 distinct botnets
  • More than 80 associated malware families

The coordinated global operation resulted in the takedown of the botnets servers, disrupting one of the largest malware operations in the world. Since 2011, Gamarue has been distributing a plethora of other threats, including:

A global malware operation

For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarues global prevalence.

Figure 1. Gamarues global prevalence from May to November 2017

While the threat is global, the list of top 10 countries with Gamarue encounters is dominated by Asian countries.

Figure 2. Top 10 countries with the most Gamarue encounters from May to November 2017

In the last six months, Gamarue was detected or blocked on approximately 1,095,457 machines every month on average.

Figure 3. Machines, IPs, and unique file encounters for Gamarue from May to November 2017; data does not include LNK detections

The Gamarue bot

Gamarue is known in the underground cybercrime market as Andromeda bot. A bot is a program that allows an attacker to take control of an infected machine. Like many other bots, Gamarue is advertised as a crime kit that hackers can purchase.

The Gamarue crime kit includes the following components:

  • Bot-builder, which builds the malware binary that infects computers
  • Command-and-control application, which is a PHP-based dashboard application that allows hackers to manage and control the bots
  • Documentation on how to create a Gamarue botnet

A botnet is a network of infected machines that communicate with command-and-control (C&C) servers, which are computer servers used by the hacker to control infected machines.

The evolution of the Gamarue bot has been the subject of many thorough analyses by security researchers. At the time of takedown, there were five known active Gamarue versions: 2.06, 2.07, 2.08, 2.09, and 2.10. The latest and the most active is version 2.10.

Gamarue is modular, which means that its functionality can be extended by plugins that are either included in the crime kit or available for separate purchase. The Gamarue plugins include:

  • Keylogger ($150) Used for logging keystrokes and mouse activity in order to steal user names and passwords, financial information, etc
  • Rootkit (included in crime kit) Injects rootkit codes into all processes running on a victim computer to give Gamarue persistence
  • Socks4/5 (included in crime kit) Turns victim computer into a proxy server for serving malware or malicious instructions to other computers on the internet
  • Formgrabber ($250) Captures any data submitted through web browsers (Chrome, Firefox, and Internet Explorer)
  • Teamviewer ($250) Enables attacker to remotely control the victim machine, spy on the desktop, perform file transfer, among other functions
  • Spreader Adds capability to spread Gamarue malware itself via removable drives (for example, portable hard drives or flash drives connected via a USB port); it also uses Domain Name Generation (DGA) for the servers where it downloads updates

Gamarue attack kill-chain

Over the years, various attack vectors have been used to distribute Gamarue. These include:

  • Removable drives
  • Social media (such as Facebook) messages with malicious links to websites that host Gamarue
  • Drive-by downloads/exploit kits
  • Spam emails with malicious links
  • Trojan downloaders

Once Gamarue has infected a machine, it contacts the C&C server, making the machine part of the botnet. Through the C&C server, the hacker can control Gamarue-infected machines, steal information, or issue commands to download additional malware modules.

Figure 4. Gamarues attack kill-chain

Gamarues main goal is to distribute other prevalent malware families. During the CME campaign, we saw at least 80 different malware families distributed by Gamarue. Some of these malware families include:

The installation of other malware broadens the scale of what hackers can do with the network of infected machines.

Command-and-control communication

When the Gamarue malware triggers the infected machine to contact the C&C server, it provides information like the hard disks volume serial number (used as the bot ID for the computer), the Gamarue build ID, the operating system of the infected machine, the local IP address, an indication whether the signed in user has administrative rights, and keyboard language setting for the infected machine. This information is sent to the C&C server via HTTP using the JSON format:

Figure 5. Information sent by Gamarue to C&C server

The information about keyboard language setting is very interesting, because the machine will not be further infected if the keyboard language corresponds to the following countries:

  • Belarus
  • Russia
  • Ukraine
  • Kazahkstan

Before sending to the C&C server, this information is encrypted with RC4 algorithm using a key hardcoded in the Gamarue malware body.

Figure 6. Encrypted C&C communication

Once the C&C server receives the message, it sends a command that is pre-assigned by the hacker in the control dashboard.

Figure 7. Sample control dashboard used by attackers to communicate to Gamarue bots

The command can be any of the following:

  • Download EXE (i.e., additional executable malware files)
  • Download DLL (i.e., additional malware; removed in version 2.09 and later)
  • Install plugin
  • Update bot (i.e., update the bot malware)
  • Delete DLLs (removed in version 2.09 and later)
  • Delete plugins
  • Kill bot

The last three commands can be used to remove evidence of Gamarue presence in machines.

The reply from the C&C server is also encrypted with RC4 algorithm using the same key used to encrypt the message from the infected machine.

Figure 8. Encrypted reply from C&C server

When decrypted, the reply contains the following information:

  • Time interval in minutes time to wait for when to ask the C2 server for the next command
  • Task ID – used by the hacker to track if there was an error performing the task
  • Command one of the command mentioned above
  • Download URL – from which a plugin/updated binary/other malware can be downloaded depending on the command.

Figure 9. Decrypted reply from C&C server

Anti-sandbox techniques

Gamarue employs anti-AV techniques to make analysis and detection difficult. Prior to infecting a machine, Gamarue checks a list hashes of the processes running on a potential victims machine. If it finds a process that may be associated with malware analysis tools, such as virtual machines or sandbox tools, Gamarue does not infect the machine. In older versions, a fake payload is manifested when running in a virtual machine.

Figure 10. Gamarue checks if any of the running processes are associated with malware analysis tools

Stealth mechanisms

Gamarue uses cross-process injection techniques to stay under the radar. It injects its code into the following legitimate processes:

  • msiexec.exe (Gamarue versions 2.07 to 2.10)
  • wuauclt.exe, wupgrade.exe, svchost.exe (version 2.06)

It can also use a rootkit plugin to hide the Gamarue file and its autostart registry entry.

Gamarue employs a stealthy technique to store and load its plugins as well. The plugins are stored fileless, either saved in the registry or in an alternate data stream of the Gamarue file.

OS tampering

Gamarue attempts to tamper with the operating systems of infected computers by disabling Firewall, Windows Update, and User Account Control functions. These functionalities cannot be re-enabled until the Gamarue infection has been removed from the infected machine. This OS tampering behavior does not work on Windows 10

Figure 11. Disabled Firewall and Windows Update

Monetization

There are several ways hackers earn using Gamarue. Since Gamarues main purpose is to distribute other malware, hackers earn using pay-per-install scheme. Using its plugins, Gamarue can also steal user information; stolen information can be sold to other hackers in cybercriminal underground markets. Access to Gamarue-infected machines can also be sold, rented, leased, or swapped by one criminal group to another.

Remediation

To help prevent a Gamarue infection, as well as other malware and unwanted software, take these precautions:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.

More importantly, ensure you have the right security solutions that can protect your machine from Gamarue and other threats. Windows Defender Antivirus detects and removes the Gamarue malware. With advanced machine learning models, as well as generic and heuristic techniques, Windows Defender AV detects new as well as never-before-seen malware in real-time via the cloud protection service. Alternatively, standalone tools, such as Microsoft Safety Scanner and the Malicious Software Removal Tool (MSRT), can also detect and remove Gamarue.

Microsoft Edge can block Gamarue infections from the web, such as those from malicious links in social media messages and drive-by downloads or exploit kits. Microsoft Edge is a secure browser that opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads.

In enterprise environments, additional layers of protection are available. Windows Defender Advanced Threat Protection can help security operations personnel to detect Gamarue activities, including cross-process injection techniques, in the network so they can investigate and respond to attacks. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, and command-and-control communication.

Microsoft Exchange Online Protection (EOP) can block Gamarue infections from email uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Windows Defender Exploit Guard can block malicious documents (such as those that distribute Gamarue) and scripts. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo).

Microsoft is also continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples (through the Virus Information Alliance) to help organizations protect their customers.

 

 

Microsoft Digital Crimes Unit and Windows Defender Research team

 

 

Get more info on the Gamarue (Andromeda) takedown from the following sources:

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Microsoft assists law enforcement to help disrupt Dorkbot botnets

December 3rd, 2015 No comments

Law enforcement agencies from around the globe, aided by Microsoft security researchers, have today announced the disruption of one of the most widely distributed malware families – Win32/Dorkbot. This malware family has infected more than one million PCs in over 190 countries.

Dorkbot spreads through USB flash drives, instant messaging programs, and social networks. It steals user credentials and personal information, disabling security protection, and distributing several other prevalent malware families.

The Microsoft Malware Protection Center (MMPC) and the Microsoft Digital Crimes Unit (DCU) led the analysis of the Dorkbot malware in partnership with ESET and Computer Emergency Response Team Polska (CERT Polska, NASK).

We activated a Coordinated Malware Eradication (CME) campaign, performed deep research, and provided telemetry to partners and law enforcement such as CERT Polska, ESET, the Canadian Radio-television and Telecommunications Commission (CRTC), the Department of Homeland Security’s United States Computer Emergency Readiness Team (DHS/USCERT), Europol, the Federal Bureau of Investigation (FBI), Interpol, and the Royal Canadian Mounted Police (RCMP), to help take action against Dorkbot infrastructure.

The MMPC has closely monitored Dorkbot since its discovery in April 2011 and released our research in the following blogs:

Our real-time security software, such as Windows Defender for Windows 10, and standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can detect and remove Dorkbot. It’s important to keep your security software up-to-date to ensure you have the latest protection.

Dorkbot telemetry

During the past six months, Microsoft detected Dorkbot on an average of 100,000 infected machines each month. The top 10 countries shown in Figure 2 represent 61 percent of the total infections.

Dorkbot example  
Figure 1: Dorkbot infection trend for the past six months
 
Dorkbot example

Figure 2: Dorkbot detections by country for the past six months

Dorkbot example

Figure 3: Dorkbot machine detections heat map for past three months

Dorkbot is an Internet Relay Chat (IRC) based botnet. It is commercialized by its creator as a “crime kit” called NgrBot, which hackers can buy though underground online forums. The kit includes the bot-builder kits as well as documentation on how to create a Dorkbot botnet. Figure 4 and 5 show one of the builder interfaces for Dorkbot – illustrating all available functionalities that the operator can set through the kit, including the IRC server settings and the command settings.

Dorkbot example  
Figure 4: Dorkbot builder IRC server settings

Dorkbot example 

Figure 5: Dorkbot builder command settings

Distribution

Dorkbot malware has been distributed in various ways, including:

  • Removable drives (USB “thumb-drives”)
  • Instant messaging clients
  • Social networks
  • Drive-by downloads / Exploit kits
  • Spam emails

Dorkbot example

 
Figure 6: Dorkbot distribution methods

During a drive-by-download infection, a cybercriminal places specialized software known as an exploit kit on a website. An exploit kit is software that is designed to infect user computers that connect to the website using software vulnerabilities. These websites are known as exploit websites. Sometimes exploit websites are created by the botnet operator specifically for the purpose of spreading the infection, but in other cases they may be legitimate websites that have been hacked by the botnet operator. 

When a computer connects to an exploit website, the exploit kit tries to exploit unpatched software to install the Dorkbot worm.

Once a machine is infected with the bot, Dorkbot will distribute itself through removable drives, instant messaging clients and social networks.

Behaviors

Dorkbot’s primary goal is to steal online account user names and passwords, as well as other personally identifying information.

Dorkbot loader

Being sold online, there are several operators utilizing Dorkbot. In the most active campaign, Dorkbot was distributed within a loader module. This loader has its own code for updating itself and distributing other malware. It is also responsible for guiding Dorkbot’s connection to another command-and-control (C&C) server. The operator appears to be abusing the older IRC-based Dorkbot variant by disabling the self-check routine, changing IRC commands, and using the loader to force it to connect to the operator’s own C&C server.
 

Dorkbot example 

Figure 7: Original Dorkbot has self-check routine that was cracked by a recent operator

Dorkbot loader – update and download other malware

The loader module contains an encoded download URL in its binary. Currently the binaries hosted in these URLs are Dorkbot’s downloader component, self-update, and other malware families.
 
Dorkbot example

Figure 8: Decoded download URLs in the loader module

The Dorkbot worm can receive commands to download and install additional malware on the infected computer, causing users whose computers are infected with Dorkbot to be infected with other types of malware as well. Some of the malware families that we have seen downloaded by Dorkbot worms are listed in the below:

The Microsoft Malicious Software Removal Tool (MSRT) has detection for Dorkbot and most of these malware families.

Dorkbot loader – guide IRC module to real C&C

Since mid-2011, the IRC module version has remained the same and only had some byte patches performed by its operators. Patching the original C&C domain inside the IRC module has length limitations, so the operators put code inside the loader module to redirect the IRC module’s connection to a preferred C&C domain.

The loader creates a trap process (for example, mspaint.exe) and installs a code hook on a DNS-related API (DnsQuery_A, DnsFree). The hook code will compare if the query was on the old C&C server domain, and return the DNS query value of the preferred domain.

Dorkbot example

Figure 9: Overview of trap process guiding to real C&C
 
Dorkbot example

Figure 10: C&C server overriding
Dorkbot example  
Figure 11: List of C&C domains

After connecting to C&C server, the IRC module will start receiving commands.

Dorkbot – IRC module (aka NgrBot)

After a Dorkbot worm infects a computer, it connects to one of its pre-programmed C&C servers. Some variants communicate over IRC using encryption technology such as Secure Sockets Layer (SSL). In its first communication, the worm sends the C&C server its geolocation, the version of Windows running on the computer, and a unique computer identifier. At this point, it is ready to begin executing commands sent to it by the botnet operator. The commands available are shown in Figure 5.

Typically, after connecting to the C&C server, the infected computer will be instructed to download other malware or spread to other computers.
 
Dorkbot example

Figure 12: Dorkbot C&C communication via IRC

Operators keep patching string fragments such as IRC related commands (USER, PASS, NICK, PRIVMSG etc) or machine’s unique nickname format.
 
Dorkbot example

Figure 13: Comparison with the old (top) and new (bottom) version of Dorkbot

Stealing online user credentials

Dorkbot monitors Internet browser communications and intercepts communications with various websites. It does this by hooking network-related APIs such as the following:

  • HttpSendRequestA/W
  • InternetWriteFile
  • PR_Write

It then steals the user name and password used to log onto the website. Some of the websites that we have seen being targeted include:

  • AOL
  • eBay
  • Facebook
  • Gmail
  • Godaddy
  • OfficeBanking
  • Mediafire
  • Netflix
  • PayPal
  • Steam
  • Twitter
  • Yahoo
  • YouTube

Anti-security techniques

Blocking websites

Once connected to the C&C server, Dorkbot may be instructed to block certain security websites by blocking access to them. It does this through the hooked DnsQuery API in the IRC module. The main purpose is to prevent an infected machine from updating its antimalware definitions, thus preventing proper remediation of Dorkbot infections. The antimalware and security companies targeted by Dorkbot are listed in our Win32/Dorkbot description.

Anti-sandbox techniques

Whenever the loader runs on a system, it will record the time of its first execution in %TEMP%c731200 as UTC converted to seconds. Before downloading the newest Dorkbot variant and other malware, the loader will check if current time is at least 48 hours past the time recorded on installation. This way the loader can hide the download URLs from antimalware backend analysis system.

Remediation

To help prevent a Dorkbot infection, as well as other malware and unwanted software:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run antimalware software regularly.

Our real-time security software, such as Windows Defender for Windows 10 for Windows 10 with up-to-date AV definitions will to ensure you have the latest protection against Dorkbot threats.

Alternatively, standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can also detect and remove Dorkbot.

Microsoft is also continuing the collaborative effort to help clean Dorkbot-infected computers by providing a one-time package with samples (through the Microsoft Virus Initiative) to help organizations in protecting their customers.

If your security organization is interested in joining or initiating a malware eradication campaign, or you are just interested in participating in the CME program, see the CME program page. You can also reach out to us directly through our contact page for more information.

Katrin Totcheva, Rodel Finones, HeungSoo Kang and Tanmay Ganacharya
MMPC

Microsoft assists law enforcement to help disrupt Dorkbot botnets

December 3rd, 2015 No comments

Law enforcement agencies from around the globe, aided by Microsoft security researchers, have today announced the disruption of one of the most widely distributed malware families – Win32/Dorkbot. This malware family has infected more than one million PCs in over 190 countries.

Dorkbot spreads through USB flash drives, instant messaging programs, and social networks. It steals user credentials and personal information, disabling security protection, and distributing several other prevalent malware families.

The Microsoft Malware Protection Center (MMPC) and the Microsoft Digital Crimes Unit (DCU) led the analysis of the Dorkbot malware in partnership with ESET and Computer Emergency Response Team Polska (CERT Polska, NASK).

We activated a Coordinated Malware Eradication (CME) campaign, performed deep research, and provided telemetry to partners and law enforcement such as CERT Polska, ESET, the Canadian Radio-television and Telecommunications Commission (CRTC), the Department of Homeland Security’s United States Computer Emergency Readiness Team (DHS/USCERT), Europol, the Federal Bureau of Investigation (FBI), Interpol, and the Royal Canadian Mounted Police (RCMP), to help take action against Dorkbot infrastructure.

The MMPC has closely monitored Dorkbot since its discovery in April 2011 and released our research in the following blogs:

Our real-time security software, such as Windows Defender for Windows 10, and standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can detect and remove Dorkbot. It’s important to keep your security software up-to-date to ensure you have the latest protection.

Dorkbot telemetry

During the past six months, Microsoft detected Dorkbot on an average of 100,000 infected machines each month. The top 10 countries shown in Figure 2 represent 61 percent of the total infections.

Dorkbot example  
Figure 1: Dorkbot infection trend for the past six months
 
Dorkbot example

Figure 2: Dorkbot detections by country for the past six months

Dorkbot example

Figure 3: Dorkbot machine detections heat map for past three months

Dorkbot is an Internet Relay Chat (IRC) based botnet. It is commercialized by its creator as a “crime kit” called NgrBot, which hackers can buy though underground online forums. The kit includes the bot-builder kits as well as documentation on how to create a Dorkbot botnet. Figure 4 and 5 show one of the builder interfaces for Dorkbot – illustrating all available functionalities that the operator can set through the kit, including the IRC server settings and the command settings.

Dorkbot example  
Figure 4: Dorkbot builder IRC server settings

Dorkbot example 

Figure 5: Dorkbot builder command settings

Distribution

Dorkbot malware has been distributed in various ways, including:

  • Removable drives (USB “thumb-drives”)
  • Instant messaging clients
  • Social networks
  • Drive-by downloads / Exploit kits
  • Spam emails

Dorkbot example

 
Figure 6: Dorkbot distribution methods

During a drive-by-download infection, a cybercriminal places specialized software known as an exploit kit on a website. An exploit kit is software that is designed to infect user computers that connect to the website using software vulnerabilities. These websites are known as exploit websites. Sometimes exploit websites are created by the botnet operator specifically for the purpose of spreading the infection, but in other cases they may be legitimate websites that have been hacked by the botnet operator. 

When a computer connects to an exploit website, the exploit kit tries to exploit unpatched software to install the Dorkbot worm.

Once a machine is infected with the bot, Dorkbot will distribute itself through removable drives, instant messaging clients and social networks.

Behaviors

Dorkbot’s primary goal is to steal online account user names and passwords, as well as other personally identifying information.

Dorkbot loader

Being sold online, there are several operators utilizing Dorkbot. In the most active campaign, Dorkbot was distributed within a loader module. This loader has its own code for updating itself and distributing other malware. It is also responsible for guiding Dorkbot’s connection to another command-and-control (C&C) server. The operator appears to be abusing the older IRC-based Dorkbot variant by disabling the self-check routine, changing IRC commands, and using the loader to force it to connect to the operator’s own C&C server.
 

Dorkbot example 

Figure 7: Original Dorkbot has self-check routine that was cracked by a recent operator

Dorkbot loader – update and download other malware

The loader module contains an encoded download URL in its binary. Currently the binaries hosted in these URLs are Dorkbot’s downloader component, self-update, and other malware families.
 
Dorkbot example

Figure 8: Decoded download URLs in the loader module

The Dorkbot worm can receive commands to download and install additional malware on the infected computer, causing users whose computers are infected with Dorkbot to be infected with other types of malware as well. Some of the malware families that we have seen downloaded by Dorkbot worms are listed in the below:

The Microsoft Malicious Software Removal Tool (MSRT) has detection for Dorkbot and most of these malware families.

Dorkbot loader – guide IRC module to real C&C

Since mid-2011, the IRC module version has remained the same and only had some byte patches performed by its operators. Patching the original C&C domain inside the IRC module has length limitations, so the operators put code inside the loader module to redirect the IRC module’s connection to a preferred C&C domain.

The loader creates a trap process (for example, mspaint.exe) and installs a code hook on a DNS-related API (DnsQuery_A, DnsFree). The hook code will compare if the query was on the old C&C server domain, and return the DNS query value of the preferred domain.

Dorkbot example

Figure 9: Overview of trap process guiding to real C&C
 
Dorkbot example

Figure 10: C&C server overriding
Dorkbot example  
Figure 11: List of C&C domains

After connecting to C&C server, the IRC module will start receiving commands.

Dorkbot – IRC module (aka NgrBot)

After a Dorkbot worm infects a computer, it connects to one of its pre-programmed C&C servers. Some variants communicate over IRC using encryption technology such as Secure Sockets Layer (SSL). In its first communication, the worm sends the C&C server its geolocation, the version of Windows running on the computer, and a unique computer identifier. At this point, it is ready to begin executing commands sent to it by the botnet operator. The commands available are shown in Figure 5.

Typically, after connecting to the C&C server, the infected computer will be instructed to download other malware or spread to other computers.
 
Dorkbot example

Figure 12: Dorkbot C&C communication via IRC

Operators keep patching string fragments such as IRC related commands (USER, PASS, NICK, PRIVMSG etc) or machine’s unique nickname format.
 
Dorkbot example

Figure 13: Comparison with the old (top) and new (bottom) version of Dorkbot

Stealing online user credentials

Dorkbot monitors Internet browser communications and intercepts communications with various websites. It does this by hooking network-related APIs such as the following:

  • HttpSendRequestA/W
  • InternetWriteFile
  • PR_Write

It then steals the user name and password used to log onto the website. Some of the websites that we have seen being targeted include:

  • AOL
  • eBay
  • Facebook
  • Gmail
  • Godaddy
  • OfficeBanking
  • Mediafire
  • Netflix
  • PayPal
  • Steam
  • Twitter
  • Yahoo
  • YouTube

Anti-security techniques

Blocking websites

Once connected to the C&C server, Dorkbot may be instructed to block certain security websites by blocking access to them. It does this through the hooked DnsQuery API in the IRC module. The main purpose is to prevent an infected machine from updating its antimalware definitions, thus preventing proper remediation of Dorkbot infections. The antimalware and security companies targeted by Dorkbot are listed in our Win32/Dorkbot description.

Anti-sandbox techniques

Whenever the loader runs on a system, it will record the time of its first execution in %TEMP%c731200 as UTC converted to seconds. Before downloading the newest Dorkbot variant and other malware, the loader will check if current time is at least 48 hours past the time recorded on installation. This way the loader can hide the download URLs from antimalware backend analysis system.

Remediation

To help prevent a Dorkbot infection, as well as other malware and unwanted software:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run antimalware software regularly.

Our real-time security software, such as Windows Defender for Windows 10 for Windows 10 with up-to-date AV definitions will to ensure you have the latest protection against Dorkbot threats.

Alternatively, standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can also detect and remove Dorkbot.

Microsoft is also continuing the collaborative effort to help clean Dorkbot-infected computers by providing a one-time package with samples (through the Microsoft Virus Initiative) to help organizations in protecting their customers.

If your security organization is interested in joining or initiating a malware eradication campaign, or you are just interested in participating in the CME program, see the CME program page. You can also reach out to us directly through our contact page for more information.

Katrin Totcheva, Rodel Finones, HeungSoo Kang and Tanmay Ganacharya
MMPC

Microsoft takes on world’s worst cybercriminals

July 15th, 2014 No comments

Microsoft recently took legal action against a group of cybercriminals suspected of spreading malicious software to millions of unsuspecting computer users.

These social media–savvy cybercriminals have not only spread the malware themselves, but they’ve also promoted their malicious tools across the Internet, offering step-by-step instructions to completely control millions of unsuspecting victims’ computers to conduct illicit crimes.

For more information on the legal action, see Microsoft takes on global cybercrime epidemic in tenth malware disruption.

To help protect yourself against cybercrime

  • Keep your operating system and other software updated.
  • Use antivirus software (and keep it updated).
  • Don’t open suspicious email messages, links, or attachments.

Get more guidance at How to boost your malware defense and protect your PC.

Best ways to battle botnets

February 25th, 2014 No comments

What is a botnet?

Botnets are networks of compromised computers that criminals use to commit fraud, such as:

  • Secretly spreading malware
  • Stealing personal information
  • Hijacking Internet search results to take you to websites that are potentially dangerous

How do I know if my computer is part of a botnet?

Your computer might be part of a botnet if it crashes or stops responding often or you experience other malware symptoms. You might also be directed to this page:

 

How can I clean my computer if I’ve been infected?

Botnets infect your computer with malware. To clean your computer, run the Microsoft Safety Scanner, and then run a scan with your antivirus software.

Get more guidance on how to remove malware

How can I help keep my computer out of botnets?

Make sure your computer has antivirus software, such as Windows Defender or Microsoft Security Essentials, and keep it updated.

To learn more about botnets, see How to better protect your PC from botnets and malware.

Categories: antivirus software, botnet, malware Tags:

Get free or paid support for your malware problem

September 24th, 2013 No comments

Is your computer running slowly? Are programs starting unexpectedly? Is the activity light on your broadband or external modem constantly lit? Does it sound like your computer’s hard disk is continually working?

If you answered “yes” to any of these questions, your computer might be infected with malware.

Scan your PC for viruses

If you suspect that your computer has a virus, you can download the Microsoft Safety Scanner. The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software.

Download the Microsoft Safety Scanner

Get help from the Microsoft forums

If you’ve scanned your computer and you can’t get rid of the virus, you might be able to get free help from the Microsoft Community. Check out the Viruses and Malware forum.

Get help from a Microsoft Answer Tech for $99

If you want to pay for help, a Microsoft Answer Tech can help track down viruses, malware, and spyware.  

Chat with an Answer Tech now

“Cyber Crime Department” scam

March 21st, 2013 No comments

We’ve received increased reports of a new phishing scam email message that uses the name and official logo of the Microsoft Digital Crimes Unit (DCU). The wording varies, but it looks like a security measure and says you need to validate your account by confirming your user name and password or by opening a file attached to the message.  

This is a fake message, but DCU is a real worldwide team of lawyers, investigators, technical analysts, and other specialists working to transform the fight against digital crime through partnerships and legal and technical breakthroughs that destroy the way cybercriminals operate. The DCU is a unique team in the tech industry, focused on disrupting some of the most difficult cybercrime threats facing society today – including malicious software crimes fueled by the use of botnets and technology-facilitated child sexual exploitation.

DCU does not send email to individuals asking them to validate their account information.  If you get one of these email messages, it is a scam. 

There are legitimate times when, in the course of a botnet cleanup effort, DCU will work to inform known victims of a particular threat to help them remove the botnet malware and regain control of their computer.  Sometimes Microsoft will work with Internet service providers (ISPs) and Computer Emergency Response Teams, who in turn will work to inform malware victims by communicating through their already-established relationship with their ISP customers. This enables ISPs to be able to reach victims in a way that is clearly verifiable to botnet victims as legitimate.  Other times, Microsoft may indeed notify victims directly – but not in email and not to verify account information, as the phishing scams claim. 

When DCU does inform victims directly about a known malware infection on their computer, like in the recent case involving the Bamital botnet takedown, it will not ask people to click on a link or download an attachment.  Rather, DCU’s communication will be done over a secured connection and will be readily verifiable as legitimately coming from Microsoft.  These notifications will often also be accompanied by a high profile public information campaign that outlines the notification process, which will also help people independently verify that a warning is real and actually coming from Microsoft.

If you receive an email message claiming to be from the DCU, do not click on links or open any attachments.  Instead, you can either just delete it or you can report it.

Here’s a copy of the fake message:

This message contains three common signs of a scam:

  • Impersonation of a well-known company or organization
  • Time-sensitive threats to your account
  • Requests to click an attachment or link

Get more information on how to recognize phishing email messages, links, or phone calls.

Clean up malware resulting from the Bamital botnet

February 8th, 2013 No comments

On February 6, Microsoft announced that its Digital Crimes Unit had worked with Symantec to successfully deactivate a major botnet called Bamital. Below is an overview of Bamital and how you can remove it from your computer.

Botnets are networks of compromised computers, controlled remotely by criminals who use them to  secretly spread malware, steal personal information, and commit fraud. Bamital was designed to hijack internet search results and take people to websites that were potentially dangerous.

To learn more about botnets, see How to better protect your PC with botnet protection and avoid malware.

A majority of computers affected by Bamital were running Windows XP and not using a firewall and antivirus software or having monthly security updates installed.

You might have malware on your computer if you see this page:

To help clean Bamital and other malware from your computer, you can install antivirus and antispyware programs that are available online from a provider that you trust.

Microsoft and Symantec each provide free malware removal tools:

For more information about how to remove malware, visit the Virus and Security Solution Center from Microsoft Support.

Read more at the Official Microsoft Blog.

Clean up malware resulting from the Bamital botnet

February 8th, 2013 No comments

On February 6, Microsoft announced that its Digital Crimes Unit had worked with Symantec to successfully deactivate a major botnet called Bamital. Below is an overview of Bamital and how you can remove it from your computer.

Botnets are networks of compromised computers, controlled remotely by criminals who use them to  secretly spread malware, steal personal information, and commit fraud. Bamital was designed to hijack internet search results and take people to websites that were potentially dangerous.

To learn more about botnets, see How to better protect your PC with botnet protection and avoid malware.

A majority of computers affected by Bamital were running Windows XP and not using a firewall and antivirus software or having monthly security updates installed.

You might have malware on your computer if you see this page:

To help clean Bamital and other malware from your computer, you can install antivirus and antispyware programs that are available online from a provider that you trust.

Microsoft and Symantec each provide free malware removal tools:

For more information about how to remove malware, visit the Virus and Security Solution Center from Microsoft Support.

Read more at the Official Microsoft Blog.

Microsoft battles Zeus ID theft botnet

April 3rd, 2012 No comments

Microsoft, in collaboration with the financial services industry, successfully executed a coordinated global action against the Zeus botnet. Zeus is a type of malware that can monitor your online activity and record your keystrokes to commit identity theft.

Learn more about the botnet takedown.

If you think that your computer might be infected with the Zeus botnet, we recommend you:

  • Run the Microsoft Safety Scanner
    The Microsoft Safety Scanner is a free service that helps you identify and remove both worms and viruses to improve PC performance.

For more information, see the Microsoft Virus and Security Solution Center

Rustock: civil case closed

September 30th, 2011 No comments

Microsoft has officially announced that our civil case against the operators of the Rustock botnet (a major source of spam) has been closed and our teams have turned over the information we’ve gathered to the FBI.

The Rustock botnet is considered one of the largest sources of spam on the Internet and our case is helping to reduce the effects of the botnet and ensure that it will never be used for cybercrime again.

Learn how to clean an infected computer and help protect your PC with botnet protection and avoid malware.

What is the Rustock botnet?

The Rustock botnet is a network of infected computers controlled by cybercriminals and used for spam, fraud, and other cybercrime. The owners of infected computers probably had no idea that their computer was being used to send spam.

What did the Rustock botnet do?

Most of the spam messages generated by the Rustock botnet promoted counterfeit or unapproved generic pharmaceuticals from unlicensed and unregulated online drug sellers.  Rustock spam also used Microsoft’s trademark to promote these drugs. In another scheme, Rustock-generated email lured people into lottery scams in which spammers attempted to convince people that they had won a lottery. The victims were told that they needed to send the spammers money to collect the larger lottery winnings. 

Help protect yourself against these kinds of email and web scams.

Microsoft is offering a $250,000 reward for information that leads to the arrest and conviction of Rustock’s operators. Any tips should be sent directly to the FBI at MS_Referrals@ic.fbi.gov.

More information about the Rustock botnet

Categories: botnet, Microsoft, Rustock, security, spam Tags:

Microsoft offers $250,000 reward for information on botnet

July 22nd, 2011 No comments

This week, Richard Boscovich, Senior Attorney for the Microsoft Digital Crimes Unit, announced a $250,000 bounty for information that results in the identification, arrest, and criminal conviction of those responsible for controlling the Rustock botnet.

Microsoft shuttered Rustock (a major source of spam) back in March and we continue both to search for the cyberciminals responsible and to help people regain control of their Rustock-infected computers. If you think your computer might be at risk, learn how you can remove and avoid computer viruses.

Anyone who has with information about Rustock should contact their international law enforcement agency.

For more information, see Microsoft Offers Reward for Information on Rustock.

Rustock report: Stopping a major source of spam

In March we reported that Microsoft, in cooperation with industry and academic partners, had taken down the Rustock botnet, a notorious source of spam, fraud, and cybercrime.

Hard disks confiscated from Rustock command and control servers

This week Microsoft released new information that explores how Rustock works and how Microsoft defeated the botnet.

Conquering the Coreflood botnet

May 10th, 2011 No comments

The FBI and U.S. Department of Justice announced an operation to take down the Coreflood botnet.

The term bot is short for robot. Criminals distribute malicious software (also known as malware) that can turn your computer into a bot (also known as a zombie). When this occurs, your computer can perform automated tasks over the Internet, without you knowing it.

Criminals typically use bots to infect large numbers of computers. These computers form a network, or a botnet.

To avoid becoming part of a cybercriminals botnet, see How to better protect your PC with botnet protection and avoid malware.

Microsoft supports the effort to take down this and other botnets, and we’ve added Coreflood malware detection to the Microsoft Security Scanner.

For more information, see FBI and DOJ take on the Coreflood botnet.

 

Microsoft helps defeat major spam botnet

April 7th, 2011 Comments off

Watch experts from Microsoft and other organizations explain how botnets work and how Microsoft and Pfizer helped bring down the Rustock botnet, a notorious source of spam, fraud, and cybercrime.

Watch the video from CNBC World Business:

Rustock Takedown Is Part of Larger War on Spam

Microsoft helps defeat Rustock botnet

March 18th, 2011 Comments off

Microsoft, in
cooperation with industry and academic partners, has taken down the Rustock
botnet, a notorious source of spam, fraud, and cybercrime.

The Rustock botnet is a network
of infected computers
controlled by cybercriminals and used for a variety
of illegal activities. The owners of the infected computers probably had no
idea that their computer was being used to send spam. To learn how you can
avoid being a victim of a botnet, see How to better
protect your PC with botnet protection and avoid malware
.

What did the Rustock
botnet do?

Most of the spam messages generated by the Rustock botnet promoted
counterfeit or unapproved generic pharmaceuticals from unlicensed and
unregulated online drug sellers.  Rustock
spam also used
Microsoft’s trademark
to promote these drugs. In another scheme,
Rustock-generated email lured people into lottery
scams
in which spammers attempted to convince people that they had won a lottery.
The victims were told that they needed to send the spammers money to collect
the larger lottery winnings.  To help
protect yourself against these kinds of scams, see Email
and web scams: How to help protect yourself
.

Learn more about the
Rustock botnet takedown

For more information, see:

The Zbot battle: Microsoft turns up the heat

February 10th, 2011 Comments off

Botnets
are networks of compromised computers controlled by cybercriminals. Botnets can
send out spam, spread malicious software, steal passwords, and more.

Zbot (also known
as the “Zeus Botnet”) has been responsible for stealing passwords and other
financial information from infected computers worldwide.

Today, Microsoft
published a special edition of the Security Intelligence Report that details ongoing
success in the battle against Zbot.

Download the Zbot Analysis paper.

For more detailed
information on battling botnets, see the Featured Intelligence section of the Security Intelligence Report
website.

Protect yourself against botnets

Protect
your computer with Microsoft Security Essentials Software


Microsoft Security Essentials is the no-cost, high-quality service that helps protect
against botnets and other malicious software.

If you think your
computer is already infected by a botnet, try the following: