DORKBOT Resurfaces Via Skype

Written by: Oscar Celestino Angelo Abendan ll

Some threats are more persistent than others. They are usually developed, modified, or simply coursed through a different vector in order to remain relevant in the threat landscape. Possibly one of the most resilient online threats are those found on instant messaging (IM) platforms. As a way to propagate malware, IMs are a hit among cybercriminals. It can also resurrect forgotten threats. Such is the case with recent DORKBOT variants. With more than 17,000 infections as of October 2012, DORKBOT is the latest noteworthy worm to hit IMs, specifically Skype.

What is noteworthy about DORKBOT?

We observed several spammed instant messages in Skype that leads to DORKBOT variants. DORKBOT, also known as NgrBot� is an Internet Relay Chat (IRC) bot used to initiate distributed denial-of-service (DDoS) attacks. It can gather several user information and propagate via instant messaging applications (IM) and social networking sites.�DORKBOT malware were spotted as early as 2011 in the Latin Americas.

However, in October 2012, DORKBOT malware were seen spreading on the instant messaging platform Skype. As of October 16, 2012,infected systems have reached to 17,500.

What happens when a system is infected with a DORKBOT variant?

Once installed, this worm also enables an attacker to take complete control of the user’s system. But this is just one of the few headaches that affected users will encounter.

DORKBOT steals passwords and login credentials from various websites such as Facebook, Twitter, file locker sites and financial services/online banking sites.

DORKBOT variants are capable of launching denial-of –service (DDoS) attacks. In order to do so, it accepts commands from its controller by connecting to and joining IRC chatrooms. Analysis reveals that it can initiate three different kinds of DoS attacks: SYN floods, UDP floods, and Slowloris attacks.

It is also capable of downloading other malware, depending on the link provided by the C&C servers. The downloaded malware may include ransomware and click fraud malware, among others. DORKBOT also downloads an updated copy of itself per day, which is usually undetected as they arrive in different packers, possibly to avoid being detected.

How does DORKBOT spread?

DORKBOT variants may spread via different platforms, which include social media (e.g. as Facebook and Twitter), instant messaging applications (Windows Live Messenger, mIRC, Skype), and via USB drives.

In an attempt to lure users into clicking links in instant messages, DORKBOT determines the possible language of the affected user and sends the appropriate message using the victim’s own language. In social media and instant messaging applications, DORKBOT variants connect to the website to get the affected system’s IP address and location, determining the language appropriate for its target.

For the attack in Skype, DORKBOT downloads WORM_DORKBOT.IF, which sends the same message to the affected user’s contact list. This component also checks the system locale to check for the user’s geolocation and sends the message “lol is this your new profile pic” using the appropriate language. Below is the list of possible messages used by the malware:

lol is this your new profile pic
hej to jest twj nowy obraz profil?
e nai aft i na fotografa profl sas?
это новый аватар вашего профиля?))
سؤال هي صورتك ؟
moin, kaum zu glauben was fr schne fotos von dir auf deinem profil
hej er det din nye profil billede?
hej je to vasa nova slika profila
hey is dit je nieuwe profielfoto?
hei zh sh ni de grn zilio zhopin ma?
tung, cka paske lyp ti nket fotografi?
hey c’est votre nouvelle photo de profil?
hey essa sua foto de perfil? rsrsrsrsrsrsrs
hey esta es tu nueva foto de perfil?
ni phaph porfil khxng khun?
hej detta r din nya profilbild?
hey la tua immagine del profilo nuovo?

What makes the instant messaging platform an appealing way of propagating malware?

Instant messaging is a popular way of communication on the Internet as it provides immediate feedback between parties. And with services such as Skype, Yahoo! Messenger , GTalk and others offering multimedia communication (video conference, teleconferencing etc.), usage and popularity is at an all-time high. Unfortunately, popularity breeds cybercrime activities, as the bad guys would want to cash in on anything with traction on the Internet.

Instant messaging is also found in most social networking sites, making these sites a ripe target for cybercriminals to try and spread their schemes. A recent example is a particular slew of Facebook chat message that lead to a malware. These chat messages on Facebook were found to contain a shortened URL pointing to an archive file “”. This archive contains a malicious file named “" that is a worm detected as WORM_STEKCT.EVL. It disables antivirus software and connects to specific websites to send and receive information.

How do I protect myself from this threat?

  • Users must always recheck the message they receive from their contacts, specifically in instant messages. This is the same rule in email messages. However, because of the immediacy of the platform, instant messages are riskier.
  • Though social networking sites, in general, have improved their security, bear in mind that cybercriminals are always out there to take advantage of the large population of social netizens. Thus, users should not take their social networking behavior lightly. To know more about how to avoid threats on social networking sites like Facebook and Twitter, you may read A Guide to Threats on Social Media.
  • Cybercriminals may use social engineering tactics to lure users into clicking a link. This may range from popular news items, celebrities as baits. To know more about social engineering, read our e-guide How Social Engineering Works.
  • Avoid clicking on sites or links referred to by contacts or friends as much as possible.

Are Trend Micro users protected from this threat?

Yes. With its Smart Protection Network, Trend Micro protects users from this threat by blocking access to the sites where DORKBOT variants are hosted, thus preventing downloading the file onto the system.