Dorkbot worm infection via Skype

Posted: October 15, 2012 in Analysis, Vulnerabilities
Tags: , , ,

Infected skype users spamming their contact lists with messages in both English and German. sending a message like:

“lol is this your new profile pic? h__p://goo.gl/{BLOCKED}5q1sx?img=username”

or

“moin, kaum zu glauben was für schöne fotos von dir auf deinem profil h__p://goo.gl/{BLOCKED}5q1sx?img=username”

The URL sent in the message redirects the user to hotfile.com to download an archive named “Skype_todaysdate.zip” containing a namesake executable file.

Rik Ferguson, director of security research and communication at Trend Micro, in a blog post explained:

“The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF or WORM_DORKBOT.DN respectively. On installation, this worm may initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet.

These Dorkbot variants will also steal user name and password credentials for a vast array of websites including Facebook, Twitter, Google, PayPal, NetFlix and many others. They can interfere in DNS resolution, insert iFrames into web pages, perform three different kinds of DDoS attack, act as a Proxy server and download and install further malware at the botmaster’s initiation. ”

The malware is completed, it has a large number of features that make very versatile the malicious code, it is able to spy on victims and to transform them in offensive agents to use in a DDoS attack. The agent appears really dangerous, it is able to infect victims transforming them in a bot and it is able to install also a ransomware that throws out the user requesting $200 in 48 hours to avoid the file destruction.

The malware opens a backdoor to allow a remote control of the attacker communicating with a remote server via HTTP. According to Sophos post on execution the malware copies itself to

%PROFILE%\Application Data\Jqfsfb.exe and sets the autostart entry as below: entry_location = “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” entry = “Jqfsfb” description = “Skype ” publisher = “Skype Technologies S.A.” image = “c:\documents and settings\support\application data\jqfsfb.exe” launch_string = “C:\Documents and Settings\support\Application Data\Jqfsfb.exe”

Dorkbot malware is not new, last year it have been detected several variants spread via common social network platforms such as Facebook or via USB sticks and various instant messaging protocols.

Skype is an excellent vector to spread a malware due its large diffusion especially in workplaces, the machines in this kind of environment are privileged targets because they could be used for cyber espionage and for botnet composition during times not working.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s