Dorkbot (malware)

Dorkbot, also known as Ngioweb, is a modular botnet malware typically spread through removable drives, social media, and instant messaging platforms. It is primarily known for its information-stealing capabilities, targeting usernames, passwords, and other sensitive data from various applications and system processes.

Once Dorkbot infects a system, it connects to a command-and-control (C&C) server to receive instructions and transmit stolen data. The modular design allows attackers to update the bot with new features and functionalities after the initial infection, extending its capabilities without requiring a full re-infection. These modules can be used for various malicious activities, including launching denial-of-service (DoS) attacks, downloading and executing additional malware, and spreading the infection to other systems.

Dorkbot employs several techniques to evade detection, including anti-analysis and anti-debugging measures. It also often utilizes rootkit techniques to hide its presence on the infected system.

While Dorkbot has been active for several years, its impact and prevalence have fluctuated. Security researchers and antivirus vendors continually update their detection and removal tools to combat this threat. Removal typically requires specialized anti-malware software capable of detecting and removing the malware and associated components. Best practices for prevention include using strong passwords, exercising caution when opening links or files from unknown sources, keeping antivirus software up-to-date, and disabling autorun on removable drives.