DorkBot is another modified IrcBot that is extremely similar to NgrBot, which is why many antivirus software treat them the same way, oftentimes using the same detection. Our botnet monitoring system has even captured NgrBot and DorkBot at almost the same time. However, according to a deeper analysis of both NgrBot and DorkBot, we find that they should be treated differently.
In this blog post, we will discuss the similarities and differences of these two botnets.
The hardcoded version number of DorkBot that we received is the same as NgrBot’s. This seems to imply that they both come from the same source code.
Figure 1. Hardcoded version 22.214.171.124.
Decryption and Hard Drive Wiping Mechanism
DorkBot has inherited most of the decryption techniques of NgrBot, including its technique of wiping the hard drive that we have discussed here.
The message box that it displays after filling the partition with zeroes is slightly different; it has a different title, as shown below.
Figure 2. Message box displayed.
As shown in Figure 2, the bot author gave DorkBot a different name, which can also be seen in the binary codes.
Figure 3. Hardcoded bot name in DorkBot’s codes.
Loader and Module Execution Mechanism
DorkBot splits the single bot into two parts – the loader and the module. The module is a complete NgrBot-like EXE file that is hardcoded in the loader’s resource section.
Figure 4. Hardcoded module in the loader’s resource section.
The loader begins by injecting itself into the svchost.exe process. The injected codes in svchost.exe then check if there are currently running instances of notepad.exe. If so, it terminates them and creates a new instance of notepad.exe in suspended mode, then hooks the APIs DnsQuery_A and DnsFree (both from dnsapi.dll) of this new notepad.exe in order to redirect DNS queries of its command-and-control (C&C) URLs. We will discuss these hooking functions later.
Meanwhile, this compromised notepad.exe process does not show its window as it waits for the DorkBot module to be injected into it.
The DorkBot loader then restarts itself and extracts the module into itself. This second instance of the loader, which is now actually the module, injects codes into running processes and, just like the loader, also hooks DnsQuery_A and DnsFree. The hooking functions in the module have a different purpose, however. Similar to NgrBot, the hooking functions of the module are used for blocking access to security-related websites.
Once the module determines that the process that it has injected codes into is notepad.exe, it executes its major codes, which contain the C&C communications. This is another difference with NgrBot, which injects and runs its major codes in explorer.exe.
Figure 5. Target process in NgrBot and DorkBot.
As we know, the default Windows Desktop GUI is maintained by explorer.exe, so the injection by NgrBot will always be successful. By contrast, since the notepad.exe process is not always running by default, DorkBot has to create one to make sure that its module injection is a success. Furthermore, to avoid conflicts with the user opening their own instance of notepad.exe before infection, the loader kills all existing notepad.exe processes before creating the hidden one which will be injected with the module.
Once the module has been injected into notepad.exe, it performs a DNS query to get the final IP of its hardcoded C&C server URLs. However, these hardcoded URLs are not the real C&C servers; they are fake and have never existed in the global DNS system.
Figure 6. Fake C&C server URLs in the module.
As mentioned above, the DnsQuery_A and DnsFree APIs of the compromised notepad.exe have already been hooked by the loader at this point, which enables the DNS query operation to be captured. The hooking functions of these DNS-related APIs check if the domain name that is being queried matches any of its hardcoded ones.
Figure 7. Checking for the C&C URL in the hooked API.
If the domain name that is being queried matches any of the hardcoded ones, it will be replaced by any of the real C&C domains in its list, which includes almost 100 domain names.
Figure 8. Partial list of DorkBot’s real C&C domains.
This mechanism also means that the individual module cannot run by itself. This is the most significant difference from NgrBot.
Modified Initial IRC Commands
Not like NgrBot which uses the original IRC commands to login to the IRC server directly, DorkBot has taken one more step; it has modified the IRC commands. As we can see in the following figure, DorkBot changes the IRC command NICK to KCIK, and USER to SSRR.
Figure 9. Comparison of IRC commands of NgrBot and DorkBot.
These are good indicators for network traffic detection.
Communicating with the C&C Server
DorkBot’s communication with the C&C server is very similar to NgrBot. In the figure below, we can see that the botnet downloading command :!dl is always carried in the IRC command that starts with :hub.us.com 332. We can also see that two different downloading commands have been merged together in a single line. The DorkBot module then sends a detailed report for each of the downloading commands afterwards.
Figure 10. Captured downloading commands.
The C&C Commands
The following is the full list of C&C server commands that the current variant supports:
So far, we have captured only two commands that are being sent by the C&C server: the :!dl command and the :!up command.
Similar to NgrBot but much more complex, DorkBot should be considered the new evolution of IrcBot. Its integrated tricks, most notably its use of fake C&C domain names, could make analyzing much more difficult. Our botnet monitoring system will continue to track DorkBot’s activity, as we always do for most of the major botnet families.