Dorkbot, um 6-year-old de malware bancário ressurgiu na natureza para se tornar uma grande ameaça, de acordo com recente relatórios.
o Dorkbot banking malware reportedly started its malicious activity back in 2012 but now it seems as if this virus has started to attack banks once again. This updated version of Dorkbot was ranked second in the world back in 2012 and according to Check Point’s report it may now be back to wreak havoc and cause damage to banking institutions on a major level.
What Is Dorkbot?
Dorkbot is a banking malware which was used by hackers to target Skype accounts as well as Facebook and Twitter accounts. The malware has been reported to try to trick victims to download an archive which contained a message in it, called “Is this your new profile pic?”. The .zip attachment was opened by the victim and then the malware locked the victimized computer. But this is not all that it does, as the Dorkbot locks the computer into a botnet infection and the contacts of the victims are sent to the malicious archive.
The virus has evolved in a new updated variant which basically makes it an advanced RAT (Acesso remoto Trojan), which is configured to steal user information, tal como:
- Passwords and account names.
- Keystrokes typed.
- Logged in details when the user attempts to log in a banking site.
According to Check Point researchers, the malware was created to allow the attacker controlling it capabilities to perform remote code execution attacks with the primary idea to manually steal saved sensitive banking data. This means that the hacker may even be able to look into your computer’s history to check for passwords or data you have previously entered. The new injection capabilities, used by the malware has been detected behind the name Early Bird and it is basically a way of obfuscating the malware and allowing it to avoid being detected by any antivirus and security software.
The today’s variant of Dorkbot is quite more advanced and it impressed even analysts at CheckPoint, who also mentioned other well known banking infecções em seu relatório.
The original activity of Dorkbot drops multiple files, in the %AppData% and %Temp% directories and among those files are worm infection files, that allow it to automatically spread across different machines. Além desta, Dorkbot may also heavily modify the Windows registry sub-keys, as Microsoft report in their análise of the malware. The virus primarily attacks the Run and RunOnce sub-keys where it creates registry entries for all of it’s executable files to automatically run when you start Windows. The files are different for the different variants of Dorkbot, but primarily may be the following:
The virus also has a folder, chamado RECYCLER, which uses all possible USB drives and registers them as a way to propagate into flash drives. The malware also uses backdoor access and control, so banks are advised to beware as it may spread in new and more clever ways.