Mocbot spam analysis

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Mocbot spam analysis
Botnet Mocbot, Ranky
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2006 / 2006-08-15
Editor/Conference DELL SecureWorks
Link http://www.secureworks.com/cyber-threat-intelligence/threats/mocbot-spam/ (Archive copy)
Author Joe Stewart
Type

Abstract

The recent Mocbot variant found exploiting the vulnerability described in MS06-040 is not especially unique. Many different malware variants use IRC as a command-and-control (C&C) channel. In this article we explore the Mocbot C&C in order to gain a better understanding of the reason for Mocbot's existence.

The C&C servers, bniu.househot.com and ypgw.wallloan.com have been published in most writeups of Mocbot. But, even if we know the correct port number for the IRC server (18067), it is inadvisable to simply connect to the server using a standard IRC client to poke around. This kind of action might get you banned from the server (if you're lucky) or DDoSsed.

Bibtex

 @misc{Stewart2006BFR1215,
   editor = {DELL SecureWorks},
   author = {Joe Stewart},
   title = {Mocbot spam analysis},
   date = {15},
   month = Aug,
   year = {2006},
   howpublished = {\url{http://www.secureworks.com/cyber-threat-intelligence/threats/mocbot-spam/}},
 }