Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft, Law Enforcement Disrupt Dorkbot Botnet (technet.com)

Posted by Soulskill on from the dorkbot-is-now-a-word-a-you-know dept.

An anonymous reader writes: Microsoft said in a blog post Thursday that it aided law enforcement agencies in several regions to disrupt a 4-year-old botnet called Dorkbot. The botnet aims to steal login credentials from services such as Gmail, Facebook, PayPal, Steam, eBay, Twitter and Netflix and has infected one million computers worldwide. The company didn't provide details on how Dorkbot's infrastructure was disrupted.

31 comments

  1. Plenty Of Detail by Anonymous Coward · · Score: 3, Funny

    The company didn't provide details on how Dorkbot's infrastructure was disrupted.

    WTF, they "activated a Coordinated Malware Eradication (CME) campaign, performed deep research, and provided telemetry to partners and law enforcement". There's enough meaningless jargon in there to satisfy even the most buzzword calloused manager.

    1. Re:Plenty Of Detail by Anonymous Coward · · Score: 0

      >activated a Coordinated Malware Eradication (CME) campaign, performed deep research, and provided telemetry to partners and law enforcement

      Does that mean they pushed a silent forced update to remove the malware on all online Windows systems?
      Because I can't image what else all those buzzwords are supposed to imply.

    2. Re:Plenty Of Detail by TWX · · Score: 2

      I doubt it. The fact that Microsoft OSes get so infected as they do makes me think they simply broke something like the DNS process that the botnet is dependent on. For all we know, they haven't actually disabled the botnet, just taken control over it.

      --
      Do not look into laser with remaining eye.
    3. Re:Plenty Of Detail by TheRealMindChild · · Score: 1

      They do this pretty often. It is the "Malicious software removal tool" and it has been part of updates via Windows Update for bloody forever (as far back as XP, anyway)

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    4. Re:Plenty Of Detail by Anonymous Coward · · Score: 0

      Yes they did. They sinkholed the C&C server via DNS: http://news.softpedia.com/news/microsoft-and-eset-disrupt-dorkbot-botnet-authorities-sinkhole-its-c-c-servers-497106.shtml Both Microsoft and ESET said it in their press releases.

    5. Re:Plenty Of Detail by LifesABeach · · Score: 1

      The most interesting coincidence is that in all cases, Microsoft is involved at some point. When will the D.O.J. consider that?

  2. Netflix by Anonymous Coward · · Score: 0

    Can someone explain it to me how it hurts the Netflix user's account when it's stolen? I assume they're going to be using it but not necessarily changing the password. But I also imagine that they could hijack it temporarily until the real owner gets involved and takes it back.

    I want to know what else could go wrong.

    1. Re: Netflix by Anonymous Coward · · Score: 1

      More than likely that many Netflix users have the same password on their TV account as their checking account.

    2. Re:Netflix by Sowelu · · Score: 1

      They could rate things weird and make you see all kinds of bizarre recommendations.

    3. Re:Netflix by Sowelu · · Score: 2

      Realistically though--they can steal some personal information, like name and probably your billing addresses, and they possess a username that is likely to be in use somewhere else. With a username, real names and a billing address, you have enough information to start socially engineering your way into other things.

    4. Re:Netflix by squiggleslash · · Score: 1

      I'm guessing they make a movie, license it to Netflix, and then use bots with stolen Netflix account credentials to pump up the viewing figures, and thus royalties.

      It's foolproof I tell you!

      --
      You are not alone. This is not normal. None of this is normal.
    5. Re:Netflix by sims+2 · · Score: 1

      You could erase my watch list or my viewing history so I don't know what episode of house i'm on. That would be quite annoying.

      Plush really how many netflix accounts can you use at the same time?

      My best bet is they were going after the netflix passwords in hopes that they used the same password elsewhere.

      --
      Minimum threshold fixed. Thanks!
    6. Re:Netflix by Anonymous Coward · · Score: 0

      Sshhhh! That's my whole fucking business plan you twat!

    7. Re:Netflix by TheGrimmReaper · · Score: 2

      Many people re-use the same password so in theory, getting someone's netflix password could get you into other sites.

    8. Re:Netflix by Anonymous Coward · · Score: 0

      Netflix's recommendations show me the same things no matter what I watch. I think this is because of their rapidly diminishing selection.

    9. Re:Netflix by ShaunC · · Score: 3, Interesting

      Can someone explain it to me how it hurts the Netflix user's account when it's stolen?

      Depends on your definition of "hurt." By my own definition, it would "hurt" me if Netflix saw my account logging in from some other country and shut it down. Now I have to contact Netflix and see why my account isn't working, maybe spend awhile on the phone swearing up and down that I haven't given my password to some guy in Russia and I promise I'll make a 45-character passphrase. All of this takes time and effort. It's not nearly as severe as having credentials to a bank account stolen, but it's still "harm" as far as I'm concerned.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  3. The opportunity presented itself... by Drewdad · · Score: 3, Funny

    ...while Dorkbot's operator was trying to decipher Microsoft's new core-based licensing structure.

    1. Re:The opportunity presented itself... by zlives · · Score: 2

      more likely windows 10 telemetry helped in locating, dissecting and disinfecting the botnet without compromising privacy in any way.

  4. Get today's SLASHDOT DEALS and the /. Newsletters! by Anonymous Coward · · Score: 0

    Even if you've disabled ads, we're still going to show you ads! Thank you for your contributions!

  5. Re:Get today's SLASHDOT DEALS and the /. Newslette by sims+2 · · Score: 1

    Still better than what paypal gives you for sending 5K through their service. For one month they would give you a free hat.. if you asked for one.

    --
    Minimum threshold fixed. Thanks!
  6. Microsoft shutsdown Microsoft botnet .. by nickweller · · Score: 2

    What Desktop operating System did this Dorkbot botnet run on?

  7. Hosts + 0.0.0.0 blocking address in front of by Anonymous Coward · · Score: 0

    See subject, & these blocked addresses the dorknet botnet uses for C&C servers:

    0.0.0.0 timeinfo.pl
    0.0.0.0 dothome.pl
    0.0.0.0 iziger.pl
    0.0.0.0 hotfile.com
    0.0.0.0 netflix.com
    0.0.0.0 iknowthatgirl.com
    0.0.0.0 youporn.com
    0.0.0.0 brazzers.com
    0.0.0.0 whmcs.com
    0.0.0.0 webnames.ru
    0.0.0.0 dotster.com
    0.0.0.0 enom.com
    0.0.0.0 1and1.com
    0.0.0.0 moniker.com
    0.0.0.0 namecheap.com
    0.0.0.0 godaddy.com
    0.0.0.0 alertpay.com
    0.0.0.0 thepiratebay.org
    0.0.0.0 torrentleech.org
    0.0.0.0 vip-file.com
    0.0.0.0 sms4file.com
    0.0.0.0 letitbit.net
    0.0.0.0 what.cd
    0.0.0.0 oron.com
    0.0.0.0 filesonic.com
    0.0.0.0 speedyshare.com
    0.0.0.0 uploaded.to
    0.0.0.0 uploading.com
    0.0.0.0 fileserv.com
    0.0.0.0 4shared.com
    0.0.0.0 netload.in
    0.0.0.0 freakshare.com
    0.0.0.0 mediafire.com
    0.0.0.0 sendspace.com
    0.0.0.0 megaupload.com
    0.0.0.0 depositfiles.com
    0.0.0.0 officebanking.cl
    0.0.0.0 twitter.com
    0.0.0.0 secure.logmein.com
    0.0.0.0 logmein.com
    0.0.0.0 moneybookers.com
    0.0.0.0 runescape.com
    0.0.0.0 dyndns.com
    0.0.0.0 no-ip.com

    FROM -> http://www.cert.pl/news/6434

    (This is a totally local + under YOUR FULL CONTROL solution you can use vs. those adversely abused domains dorkbot uses to steal information as its C&C servers (top 4 listed) or sites it abuses (the rest) - assuring no communication with them on YOUR end...)

    APK

    P.S.=> Of course, the usual "shameless plug" from "yours truly" has to occur - to create the BEST possible custom hosts file? Look no further than APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o... for more speed, security, reliability, & anonymity than ANY single other "so-called 'solution'" that operates in less cpu serviced usermode vs. hosts in kernelmode (many crippled by default &/or 'souled-out' to advertisers too no less) can & FOR MASSIVELY LESS resources consumed or complexity involved in them... apk

    1. Re:Hosts + 0.0.0.0 blocking address in front of by barbariccow · · Score: 1

      See subject, & these blocked addresses the dorknet botnet uses for C&C servers:

      0.0.0.0 timeinfo.pl 0.0.0.0 runescape.com

      Why apk no like runescape? It was a fun game 15 years ago, and still some people play it. Good thing I don't let you choose which games I'm allowed to play...

  8. More host-domain names to block for dorknet by Anonymous Coward · · Score: 0

    See subject & many more host-domains this botnet uses to block locally in hosts (where you have most control):

    0.0.0.0 s451.hotfile.com
    0.0.0.0 rlz1jmv.info
    0.0.0.0 jmrlz01.info
    0.0.0.0 rlz8jmv.info
    0.0.0.0 irc.perrorlzz.org
    0.0.0.0 perrorlzz.org
    0.0.0.0 www.adriese1906.it
    0.0.0.0 adriese1906.it
    0.0.0.0 www.wipmania.com
    0.0.0.0 wipmania.com

    APK

    P.S.=> Those came from further readings into a .pdf the article links to for more detailed information from the link I posted in my original post... apk

  9. Still more host-domain C&C servers to block by Anonymous Coward · · Score: 0

    0.0.0.0 api1.wipmania.com
    0.0.0.0 api2.wipmania.com
    0.0.0.0 api3.wipmania.com
    0.0.0.0 api4.wipmania.com
    0.0.0.0 api5.wipmania.com
    0.0.0.0 api6.wipmania.com
    0.0.0.0 api7.wipmania.com
    0.0.0.0 api8.wipmania.com
    0.0.0.0 api9.wipmania.com
    0.0.0.0 api.wipmania.com

    * :)

    APK

    P.S.=> Hopefully, that's it - that's all I've found so far from the source articles... apk

  10. Words by Anonymous Coward · · Score: 0

    Dorkbot botnet network workman Manchester chesterfield fieldglass Glassjaw jawbone bonefish fishmonger mongering Ingrid riddick dickwad wadable ablegate gateway wayside sidelong longhair hairdo dobro bromin minima imadork.

  11. Read the source article: Botnet abuses it by Anonymous Coward · · Score: 0

    See subject - explains it all & "RTFA": Whether you choose to block it or not is up to you... there's others in there that I was hesitant to put up (netflix being the prime example), but, that's the list the article provides (+ quit trolling me - it's a waste of your time...)

    APK

    P.S.=> I don't know what your problem is - I'm doing right by others... apk

  12. Windows 10? by Anonymous Coward · · Score: 0

    Is this the secret purpose of Windows 10? So Microsoft can take full control of your computer without your permission or knowledge.

    1. Re:Windows 10? by Anonymous Coward · · Score: 0

      Yes. What they're going to do is "shut down" all the windows botnets, which just means they'll gain control over all of them. In the end, there will be nothing on the Internet but MS-owned and controlled botnets, which will unify into one giant botnet which will then DDoS itself. And that will be the beginning (and the end) of the Singularity.

  13. Can you hear me now? by Anonymous Coward · · Score: 0

    Did somebody say Global Mother Fucking Spyware?