Bot Builds Spam-Spreading Zombie Army

Mocbot downloads a spam proxy Trojan in its bid to create a net of infected machines that will spew spam on a large scale.
The bot that began infecting Windows PCs last weekend using a bug disclosed by Microsoft the previous week was after machines to add to a spam-spewing network of so-called "zombies," a security research firm said.

In a research report posted to its Web site, Chicago-based LURHQ concluded that the most recent version of Mocbot -- also called Wargbot and Graweg -- that exploited the vulnerability patched in the Aug. 8 MS06-040 security bulletin was "not especially unique."

By using a "sandnet" -- a tool which creates a virtual Internet through which malware can romp without endangering real systems -- LURHQ was able to spy on the command and control instructions issued to Mocbot by its controller, or bot herder.

"The bot herder cannot tell the difference between us and one of the bots," LURHQ reported in its write-up. "[But] active probing of the bot by the bot herder using built-in commands could give away our presence." Instead, LURHQ's researchers were able to monitor traffic between the bot and its herder, decrypt it, and read it in near-real-time.

Among the first commands that Mocbot receives is to download another piece of malicious code, a spam proxy Trojan horse dubbed Ranky. (Other security vendors, notably Symantec, also uncovered the Mocbot-Ranky connection this week.)

"It seems as if this entire scheme of mass infection is simply to facilitate the sending of spam," said LURHQ.

Researchers following the trail further were able to join the spam proxy network for a peek at its traffic. They found spam, lots of spam. "Before too long, we begin to see loads of spam being pumped through our server, from dozens of IP addresses."

The messages that LURHQ spied out peddled everything from porn site and fake Rolex watches to prescription drugs.

"Obviously there is money being made here," LURHQ concluded. "The economics of exploiting end-user systems for the purposes of spam [is] an established business model."

Since Mocbot/Wargbot broke onto the Internet Saturday Aug. 12, the threat has been ranked low by most security vendors and experts. Symantec, for instance, has been monitoring ports 445 and 139 -- the ones used by the exploit -- on its global network of sensors and systems, but has yet to report unusually-high traffic across those ports.

Still, the bot poses some risk. "[Symantec] honeypots are currently being attacked on an ongoing basis," said Symantec in a new alert sent to customers late Thursday. Symantec also reported that it's watching another attack exploiting the MS06-040 vulnerability, but has little information to share.

"This program has also been successfully compromising numerous honeypots, often ones already infected with Wargbot," Symantec said. "This bot makes use of a different payload, which immediately downloads and executes a file (lol.exe)." The malware downloaded to the infected PC may be a form of spyware, Symantec said.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing