DorkBot is another modified IrcBot that is extremely similar to NgrBot, which is why many antivirus software treat them the same way, oftentimes using the same detection. Our botnet monitoring system has even captured NgrBot and DorkBot at almost the same time. However, according to a deeper analysis of both NgrBot and DorkBot, we find that they should be treated differently. In this blog post, we will discuss the similarities and differences of these two botnets. Version Number The hardcoded version number of DorkBot that we received is the... [Read More]
by RSS He Xu  |  Aug 12, 2014  |  Filed in: Security Research
NgrBot is a modified IrcBot. It has the capability to join different Internet Relay Chat (IRC) channels to perform various attacks according to the IRC-based commands from the command-and-control (C&C) server. Recently, our botnet monitoring system captured an NgrBot variant with hardcoded version Figure 1. Hardcoded version This new version of the bot carries new features that are much more harmful than before, including the ability to destroy data in the user's hard drive. Wiping The Hard Drive This new version of... [Read More]
by RSS He Xu  |  Jul 10, 2014  |  Filed in: Security Research