Wednesday, December 09, 2015
Dorkbot down: security vendors and law enforcement sinkhole botnet
As with all botnets, at the heart of any success sits the Command-and-Control (C&C) servers, and Dorkbot is no exception. This, thanks to intelligence in the form of technical analysis and statistical data shared by security vendor ESET, proved to be the downfall as far as Dorkbot was concerned. ESET malware researcher Jean-Ian Boutin explains how a convoluted process involves the Dorkbot dropper launching the main IRC component, hooking into the DnsQuery API at the same time as the main component does not contain the true C&C domains. “In fact,” Boutin says, “when the IRC component tries to resolve these domains through the hooked API, the wrapper will instead try to resolve one of the many domains it contains.” All of which makes obtaining the real C&C addresses difficult to put it mildly. By sinkholing the C&C servers, that is redirecting Dorkbot traffic from the original destination to one owned by the investigators, it has been possible to disrupt the bejesus out of the Botnet operation.