Microsoft, Law Enforcement Collaborate in Dorkbot Takedown

A coalition of law enforcement agencies worked together to disrupt Dorkbot, a botnet that’s managed to infect more than one million machines in 190 countries over the last year.

A coalition of law enforcement agencies worked together recently to disrupt Dorkbot, a botnet that’s managed to infect more than one million machines in 190 countries during the last year.

Researchers with Microsoft’s Malware Protection Center announced the news via a post on the MMPC blog.

Two divisions within Microsoft, the Malware Protection Center and the Digital Crimes Unit, worked with ESET and Poland’s Computer Emergency Response Team to analyze the botnet. When it was time to take action, the groups were joined by a handful of law enforcement groups: Europol; the F.B.I.; Interpol; DHS/US CERT; the Canadian Radio-television and Telecommunications Commission (CRTC); and the Royal Canadian Mounted Police (RCMP).

The operation came as a result of “a series of simultaneous actions,” according to Interpol, and led to the “takedown of the botnet’s main servers and data channels.”

Microsoft researchers Katrin Totcheva, Rodel Finones, HeungSoo Kang and Tanmay Ganacharya called the action a coordinated effort, and claim the company “provided telemetry” to law enforcement agencies in order to take action against the malware.

Dorkbot surfaced in 2011 but became more widespread in 2012 after it was spotted worming its way through Skype. Some victims who received a spam message on the chat program were duped into opening a .zip file — this opened a backdoor, and installed a worm on their system to spread the malware further. Once an attacker had access to the victim’s machine, they could send spam, carry out DDoS attacks, or steal user information.

Since then the malware family has evolved and proven adept at stealing user credentials, information, disabling security programs, and other traits.

While there’s been a lack of Dorkbot stories in the headlines lately, Microsoft claims the botnet has still managed to infect 100,000 machines on average each month over the last six months. Computers in India, Indonesia, the Russian Federation, and Argentina were popular targets, according to MMPC.

According to Europol, investigators are still trying to determine exactly how many victims worldwide Dorkbot has impacted throughout the years, but claim it could be somewhere in the millions.

“Botnets like Dorkbot have victimized users worldwide, which is why a global law enforcement team approach working with the private sector is so important,” Wil van Gemert, Europol’s Deputy Director Operations said last Friday, “Europol is pleased to join forces with its law enforcement and private sector partners to defeat malicious botnets that have the potential to impact millions of victims.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.