Update – Condition RED – Hello Hermes, the Dorifel story continues

Hi everyone, remember Dorifel?
Let’s say.. it ain’t over..



David Jacoby, a Kaspersky Lab Expert, has an interesting blog posting about Dorifel.
One thing David says is a little scary (but not unexpected):

I want to highlight that we found tons of new malicious files on the server hosting the Dorifel malware and also a lot of exploits which could be an indication that computers infected with Dorifel also have additional malware installed on the computer.


There is also a nice update with lots of info on “Damm those problems

One of the things that made Dorifel an success was the RTLO unicode hole. What this hole does is using a Windows standard unicode “right-to-left override” which is used in Arabic and Hebrew texts

Because of this, there is only one advice:

Do not rely on any file attachment or file on any device to be safe based on its file name!


Before the weekend started we were told by  State Secretary for Security and Justice Fred Teeven that:  “everything is under control”, but Dorifel didn’t stop.

The virus did what it was supposed to do: infect more systems and hijack backing data.

It’s the beginning of a new week and I am sure lots of people will investigate Dorifel to learn how it worked, why it managed to cripple several organisations and how we can prevent this in the future.


Sources (English):


Sources (Nederlands):