Microsoft said Thursday it aided law enforcement agencies in several regions to disrupt a four-year-old botnet called Dorkbot, which has infected one million computers worldwide.
The Dorkbot malware aims to steal login credentials from services such as Gmail, Facebook, PayPal, Steam, eBay, Twitter and Netflix.
It was first spotted around April 2011. Users typically get infected by browsing to websites that automatically exploit vulnerable software using exploit kits and through spam. It also has a worm functionality and can spread itself through through social media and instant messaging programs or removable media drives.
Microsoft didn’t provide much detail on how Dorkbot’s infrastructure was disrupted. The company has undertaken several such actions over the last few years in cooperation with law enforcement.
Coordinated actions to take botnet servers offline have an immediate impact, but the benefits can be short-lived. Cybercriminals often set up new hosting and command-and-control infrastructure and begin rebuilding the botnet by infecting new computers.
Microsoft said it worked with security vendor ESET, the Computer Emergency Response Team Polska, the Canadian Radio-television and Telecommunications Commission, the Department of Homeland Security’s U.S. Computer Emergency Readiness Team, Europol, the FBI, Interpol, and the Royal Canadian Mounted Police.
Cybercriminals have sold a kit that allows other bad actors to build botnets using Dorkbot. The kit, called NgrBot, is sold in underground online forums, Microsoft wrote in a blog post.