Mocbot spam analysis
Revision as of 12:46, 31 July 2015 by Eric.freyssinet (talk | contribs) (Text replacement - "/ www." to "/ |Site=www.")
(Publication) Google search: [1]
| Mocbot spam analysis | |
|---|---|
| Botnet | Mocbot, Ranky |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2006 / 2006-08-15 |
| Editor/Conference | DELL SecureWorks |
| Link | http://www.secureworks.com/cyber-threat-intelligence/threats/mocbot-spam/ (Archive copy) |
| Author | Joe Stewart |
| Type | |
Abstract
“ The recent Mocbot variant found exploiting the vulnerability described in MS06-040 is not especially unique. Many different malware variants use IRC as a command-and-control (C&C) channel. In this article we explore the Mocbot C&C in order to gain a better understanding of the reason for Mocbot's existence.
The C&C servers, bniu.househot.com and ypgw.wallloan.com have been published in most writeups of Mocbot. But, even if we know the correct port number for the IRC server (18067), it is inadvisable to simply connect to the server using a standard IRC client to poke around. This kind of action might get you banned from the server (if you're lucky) or DDoSsed.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2006BFR1215,
editor = {DELL SecureWorks},
author = {Joe Stewart},
title = {Mocbot spam analysis},
date = {15},
month = Aug,
year = {2006},
howpublished = {\url{http://www.secureworks.com/cyber-threat-intelligence/threats/mocbot-spam/}},
}