Dogkild
Dogkild is a Windows worm observed being downloaded and executed as a secondary payload by exploitation of Microsoft Windows Video ActiveX Control vulnerability CVE-2008-0015 (detected as Exploit:JS/CVE-2008-0015) delivered via a specially crafted web page. Microsoft reports that the exploit may connect to a remote server to download additional malware and that it has been used in the wild to deliver Dogkild. Dogkild propagates via removable drives and has capabilities including retrieving and executing additional binaries/files, overwriting certain system files, terminating a long list of security-related processes, and replacing the Windows Hosts file to block access to websites associated with security programs. No specific threat actor attribution, targeted industries, or concrete IOCs are provided in the available content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2008-0015 (CVSS score: 8.8) - A stack-based buffer overflow vulnerability in Microsoft Windows Video ActiveX Control... Microsoft notes... it may connect to a remote server and download other malware... used to download and execute Dogkild, a worm...
Microsoft warned that the older flaw can download malware such as the Dogkild worm, which can run additional files, alter the Windows Hosts file, and disable security processes.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A worm that can execute additional files, modify the Windows Hosts file, and disable security processes; mentioned as a payload that may be downloaded via exploitation of CVE-2020-7796.
A worm that propagates via removable drives; can retrieve and run additional binaries, overwrite certain system files, terminate many security-related processes, and replace the Windows Hosts file to block access to security program websites.
A worm that propagates via removable drives; can retrieve and run additional binaries, overwrite certain system files, terminate many security-related processes, and replace the Windows Hosts file to block access to security-related websites.
A worm that propagates via removable drives; can retrieve and execute additional binaries, overwrite certain system files, terminate many security-related processes, and replace the Windows Hosts file to block access to security-related websites.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.