Mocbot spam analysis
Jump to navigation
Jump to search
(Publication) Google search: [1]
Mocbot spam analysis | |
---|---|
Botnet | Mocbot, Ranky |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2006 / 2006-08-15 |
Editor/Conference | DELL SecureWorks |
Link | http://www.secureworks.com/cyber-threat-intelligence/threats/mocbot-spam/ (Archive copy) |
Author | Joe Stewart |
Type |
Abstract
“ The recent Mocbot variant found exploiting the vulnerability described in MS06-040 is not especially unique. Many different malware variants use IRC as a command-and-control (C&C) channel. In this article we explore the Mocbot C&C in order to gain a better understanding of the reason for Mocbot's existence.
The C&C servers, bniu.househot.com and ypgw.wallloan.com have been published in most writeups of Mocbot. But, even if we know the correct port number for the IRC server (18067), it is inadvisable to simply connect to the server using a standard IRC client to poke around. This kind of action might get you banned from the server (if you're lucky) or DDoSsed.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2006BFR1215, editor = {DELL SecureWorks}, author = {Joe Stewart}, title = {Mocbot spam analysis}, date = {15}, month = Aug, year = {2006}, howpublished = {\url{http://www.secureworks.com/cyber-threat-intelligence/threats/mocbot-spam/}}, }