The smart folks at Microsoft's Malware Protection Center have written a nice analysis of the Dorkbot infection vectors. Dorkbot is a worm that injects code into Windows explorer, spreads other malware and ransomware, and attempts to steal usernames and passwords for social networking and messaging sites (Facebook, AOL, Yahoo!, Twitter, Gmail...), merchant sites (eBay, PayPal, Moneybookers, AlertPay...) and domain registrar/hosting portals (e.g., GoDaddy, Monicker, Namecheap...). Social networking and messaging site accounts can be used to spam, merchant accounts can be used for theft or fraud, and registrar (hosting) accounts can be used to deface or upload malicious links to hosted web sites (via FTP), to deny service, or to alter DNS settings.
In some respects, Dorkbot is a new form of blended threat: rather than relying on traditional networking distribution methods to infect hosts (e.g., exploiting file sharing vulnerabilities, drive-by downloads, removable media), it uses messaging services and social networks as distribution platforms.
Like many malware, the Dorkbot malware socially engineers or convinces users to click on malicious URLs. What makes Dorkbot particularly nasty is that:
- the URLs are not found on web pages or in email but in instant messages
- the URLs often use URL shorteners (and some of these are not safe)
- the URLs may appear in social networking messages that come from one of your Contacts
Dorkbot presents an oportunity to point out that your contacts may not always be as trustworthy as you imagine. You simply cannot be certain whether a message you receive is coming from your contact or a malware that's infected someone who has added you as a contact.
Here are some simple tricks or rules to follow:
- Keep your computer "patch current".
- Detect and remove this threat. Visit Microsoft or an AV vendor you use and trust to find Dorkbot removal tools (remember, only visit vendors you trust).
- Before you click on a URL in an unsolicited message you receive from a contact (especially one that literally comes "out of the blue"), consider asking the contact a question. Dorkbot probably can't hold a conversation with you.
- Be wary of shortened URLs, especially URLs generated by shortener services that do not perform security checks on the URLs they shorten.