Password-stealing ‘dorkbot’ prowling in Indian cyberspace

New Delhi

Cyber security sleuths have alerted Indian internet users against the malicious activity of an online virus called ‘dorkbot’ which perpetrates itself through social networking sites and steals sensitive personal data and passwords of a user.

The malware, a variant of online virus and worm, has been specifically seen affecting operating systems running on Windows in the recent past.

“It has been observed that the variants of malware named as 'dorkbot' targeting windows operating systems, are spreading.

“The malware belongs to the family of worms having backdoor functionality and spreads through various vectors, including drive-by-download attacks, social networking sites and compromised websites with browser exploits via removable drives in the form of auto-run exploits or by means of malicious links in instant messaging chats or internet relay chats,” a latest advisory issued by the Computer Emergency Response Team of India (CERT-In) said.

The CERT-In is the nodal agency to combat hacking, phishing and to fortify security-related defences of the Indian internet domain.

The deadly virus, with almost a dozen aliases, is capable of stealing sensitive information from infected machine including stored passwords, browser data, cookies and has a smart and lethal potential to take complete control of the affected system, it said.

The cyber security agency said the malware can hide itself by over-writing, can collect system information such as OS (operating system) information, user privileges and apps installed on the system and can act to aid remote access of the infected machine to an attacker.

It destructs and infects a system by acquiring fake identities of Facebook, Skype or any other social media platform and lowers its immunity against a potential virus attack.

"To hide itself from detecting by anti-virus solutions, the malware injects its code into files like cmd.exe, ipconfig.exe, regedit.exe, regsvr32.exe, rundll32.exe, verclsid.exe and explorer.exe," the advisory said.

The agency has suggested some counter-measures for users to deploy and guard against 'dorkbot'.

“Delete the system changes made by the malware such as files created, registry entries and services, etc, set internet and local intranet security zone settings to 'high' to block activeX controls and active scripting, scan infected system with updated versions of anti-virus solution, limit or eliminate the use of shared or group accounts and do not visit untrusted websites," it said.

It said attachments should not also be downloaded or opened in emails received from untrusted sources or unexpectedly received from trusted users. There should be enforcement of a strong password policy and implemention of regular password changes.

"Enable a personal firewall on workstation and configure email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files," it added. — PTI