A year ago on 2nd December 2015, a collaboration between major cybersecurity firms, law enforcement and software providers \u2013 including ESET and Microsoft \u2013 successfully managed to disrupt Dorkbot, a malware family that had been infiltrating systems worldwide for over four years.
\nSince its detection in April 2011, Dorkbot had caused numerous problems for businesses and individuals alike, and was described by ESET as \u201cthe most used malware variant\u201d in its 2012 paper Dorkbot: Hunting Zombies in Latin America.
\nWorming its way into computers in over 190 different countries \u2013 and proving particularly prevalent in Latin America, where 54% of infections were identified \u2013 Dorkbot has been used both to obtain financial and sensitive information, and take down company servers.
\nSurreptitious infiltration<\/p>\n
The spread of this, and other similar malware, was often achieved by cybercriminals who \u2013 having purchased a so-called \u201ccrime kit\u201d \u2013 targeted users by sending genuine-looking emails, infiltrating social networks and instant messaging services and by using removable USB drives.
\n\u201cYou might click on a link and think no more about it,\u201d explains Zia Rehman, a cybersecurity expert from Perspective Risk. \u201cBut it would install itself on your computer, often masquerading as other programs your computer needs, and then monitor your traffic in the background.\u201d
\n\u201cIt could also include your system in a [worldwide botnet],\u201d he goes on to explain. \u201cA malicious [attacker] might then use all the connections simultaneously to connect to Facebook or Ebay, for example, and your system is actively part of these attacks.\u201d
\nSkilled in subterfuge<\/p>\n
Lurking in the background of many computers \u2013 and often undetected \u2013 Dorkbot was able to install code on infected computers, steal passwords and connect to an IRC (Internet Relay Chat) server, which would then receive commands to download additional malware.
\nWorryingly, Dorkbot was also able to disconnect users from virus module updates, meaning that, despite providers identifying the threat and acting accordingly, users remained unaware that their system was infected.
\nReadily available to criminals, the malware was used to target sites including AOL, eBay, Facebook, Netflix and PayPal, amongst others.
\nDisrupting Dorkbot<\/p>\n
This is why its disruption, \u2018an early Christmas present\u2019, was welcome. Information sharing between organizations about Dorkbot\u2019s behavior meant that expertise from around the globe could be pulled together in order to disrupt what was becoming an enormous threat.
\nAnd it was tremendously successful \u2013 Dorkbot\u2019s grip on worldwide systems has been loosened. However, other, similar forms of constantly evolving malware still pose an enormous threat to worldwide cybersecurity.
\nEvolution of threats<\/p>\n
\u201cThis year, for example, the Mirai botnet, based on thousands of compromised \u2018Internet of Things\u2019 devices from televisions to security cameras, was used to knock crucial internet services offline,\u201d explained Joe Hancock, cybersecurity lead at Mishcon de Reya LLP.
\n\u201cThis shows that whilst the specific attacks from Dorkbot were eventually prevented by law enforcement, the overall approach of botnets and those behind them will innovate and change tactics. Law enforcement and the cybersecurity community needs to increase its own innovation to deal with these changes.\u201d
\nImportance of education<\/p>\n
As Rehman noted, the key to minimizing risk lies in educating individuals and organizations \u2013 particularly that of clicking on an attachment or link from an unknown source.
\nThe more people know, the better equipped they are at spotting threats, and ensuring that they remain better protected. This responsibility also falls on security providers, as ESET noted in 2012:
\n\u201cWe need to teach users what we do and why, and how we are protecting them against this kind of threat. In the industry we understand the importance of updates and concern about the content we see from our daily activities, but we need to talk to end-users in their own language.\u201d
\nSafeguarding the world<\/p>\n
Despite the success of the move to disrupt Dorkbot, malware remains an ever-evolving threat, both to business and to worldwide security. Dorkbot is indicative of this \u2013 it\u2019s an \u2018old\u2019 type of malware, but one that is still active and capable of reinventing itself.
\nIt seems therefore that the need for effective cybersecurity to guard against ever-emerging threats, as well as those active in the digital space, is more important than ever.<\/p>\n