Freelance Word Punk

[THIS SITE IS NO LONGER BEING UPDATED - IF YOU HAVE ENDED UP HERE YOU ARE IN THE WRONG PLACE, PLEASE CLICK WWW.HAPPYGEEK.COM TO VIEW NEW CONTENT BY DAVEY WINDER]

Wednesday, December 09, 2015

Dorkbot down: security vendors and law enforcement sinkhole botnet

As with all botnets, at the heart of any success sits the Command-and-Control (C&C) servers, and Dorkbot is no exception. This, thanks to intelligence in the form of technical analysis and statistical data shared by security vendor ESET, proved to be the downfall as far as Dorkbot was concerned. ESET malware researcher Jean-Ian Boutin explains how a convoluted process involves the Dorkbot dropper launching the main IRC component, hooking into the DnsQuery API at the same time as the main component does not contain the true C&C domains. “In fact,” Boutin says, “when the IRC component tries to resolve these domains through the hooked API, the wrapper will instead try to resolve one of the many domains it contains.” All of which makes obtaining the real C&C addresses difficult to put it mildly. By sinkholing the C&C servers, that is redirecting Dorkbot traffic from the original destination to one owned by the investigators, it has been possible to disrupt the bejesus out of the Botnet operation.
Newer Post Older Post Home

Blog Archive




Co-founder of IT Security Thing Ltd, Davey Winder is a three time winner of the Information Security Journalist of the Year award (2006/2008/2010) and received the prestigious Enigma Award for his lifetime contribution to information security journalism in 2011.



Simple theme. Powered by Blogger.