Dorkbot Malware
Dorkbot is a type of malware that spreads through social networking sites, instant messaging programs, and removable drives. It is also known as NgrBot.
Dorkbot typically spreads via infected USB drives, social media links, and instant messaging platforms. It tricks users into clicking malicious links, which leads to infection.
Once inside the system, Dorkbot connects to a command-and-control server, allowing attackers to remotely control the infected system.
It is capable of stealing sensitive information such as login credentials and can download additional malicious software.
Infection Mechanism
The malware spreads through removable drives by copying itself and creating autorun.inf files. It also spreads through social engineering by sending malicious links via instant messaging applications and social media platforms.
When a user clicks on the malicious link or accesses the infected drive, the malware gets executed on the system.
It modifies system registry entries to maintain persistence and ensure execution on startup.
Impact
- Unauthorized access to infected systems
- Stealing sensitive user information including passwords
- Downloading and installing additional malware
- Degrading system performance
Indicator of Compromise:
File Names:
- autorun.inf
- msn.exe
- winlogon.exe (malicious copy)
Best Practices and Remedial Measures
- Avoid clicking on suspicious links received via email, social media, or instant messaging applications.
- Disable autorun feature on removable drives.
- Use updated antivirus software and perform regular scans.
- Keep operating systems and applications updated with latest security patches.
- Restrict use of removable media and scan all external devices before use.