AOH :: ISN-2881.HTM

Botnet Eavesdropping: Inside the Mocbot (MS06-040) Attack

Botnet Eavesdropping: Inside the Mocbot (MS06-040) Attack
Botnet Eavesdropping: Inside the Mocbot (MS06-040) Attack,1895,2004893,00.asp 

By Ryan Naraine
August 17, 2006

When Joe Stewart spotted a variant of the Mocbot Trojan hijacking 
unpatched Windows machines for use in IRC-controlled botnets, he 
immediately went to work trying to pinpoint the motive for the attacks.

Stewart, a senior security researcher with LURHQ's Threat Intelligence 
Group, set up a way to silently spy on the botnet's command-and-control 
infrastructure, and his findings suggest that for-profit spammers are 
clearly winning the cat-and-mouse game against entrenched anti-virus 

"The lesson here is once you get infected, you are completely under the 
control of the botmaster. He can put whatever he wants on your machine, 
and there's no way to be 100 percent sure that the machine is clean," 
Stewart said in an interview with eWEEK.

Stewart, a well-respected researcher who specializes in 
reverse-engineering malware files, echoed a warning issued earlier this 
year by Microsoft.

"The only way to be [completely] sure the system is malware-free is to 
completely wipe the hard drive and reinstall the operating system," he 

Stewart arrived at that conclusion after eavesdropping on Mocbot for a 
few hours.

"I have two machines here running in an isolated network. I infect one 
with the malware, and I have the other machine pretending to be the 
entire Internet," he explained.

The second machine, known as a sandnet, is a custom-made tool for 
analyzing malware in an environment that is isolated, yet provides a 
virtual Internet for the malware to interact with.

"I can sit back and see all the interaction up to point where it [the 
infected machine] joins botnet's control channel. Then I can take that 
information, go outside and replicate it. I can see what the real server 
is doing to get an entire picture of the operation," Stewart said.

With Mocbot, which was targeting the Windows vulnerability patched with 
Microsoft's MS06-040 patch, Stewart was able to figure out that the 
infected drones were connecting to two hard-coded command and control 
servers at "" and ""

He was able to capture the IRC (Internet Relay Chat) login sequence 
generated by the bot. This included a user, a nickname, the channel name 
and the first bit of instructions to the infected machine.

The command schemes were all encrypted, forcing Stewart to create a 
custom Perl script to decode the algorithms.

"They're using trivial encryption, so a bit of reverse-engineering had 
to be done. You can see some of it in the code of Mocbot, and I wrote a 
little script to do the decoding. When I visit the channel and he gives 
a command, I can easily decrypt it to see the instructions he's sending 
to the bot," Stewart said.

Using telnet to connect to the command-and-control server on Port 18067 
(the port number for the IRC server), Stewart successfully started 
spying on the control channel, but there was not much to see.

"The IRC server code was stripped down to give almost no information to 
the client, except the channel topic line, which was encrypted," he 

Once decoded, he found that the botmaster was telling the infected 
machines to join another control channel to receive another encrypted 

When decoded, the command simply served up a URL hosted at, 
a free image hosting service.

"The command is an instruction to download and execute [a second] file 
in the provided URL," Stewart said, noting that the mission of the 
botmaster was to get the second file into the infected system.

The file is a spam proxy Trojan named Win32.Ranky.fv.

"The entire scheme of mass infection is simply to facilitate the sending 
of spam. The proxy Trojan is also a bot of sorts; reporting in to a 
master controller to report its IP address and the socks port for use in 
the spam operation," Stewart said.

With the spam proxy Trojan sitting on his test machine, Stewart was 
again able to join the spam proxy net to get an internal peek at the 

Using the sandnet, he found that the Trojan was sending a 4-byte UDP 
packet to the "" address.

Stewart then mimicked this on an Internet connected network with a fake 
socks proxy that feeds into a blackhole SMTP server to infiltrate the 
proxy network.

He immediately started seeing "loads of spam being pumped through our 
socks server." This was coming from dozens of IP addresses and using 
forged sender addresses.

The spam e-mails, which are now being pumped from infected Windows 
desktops, represented a range of the typical junk mail, Stewart said.

He found mail advertising everything from pornography to fake Rolex 
watches and pharmaceuticals.

"It looks like this was a small, targeted attack for one simple reason. 
They wanted to stay under the radar. This is all about setting up small 
botnets and making money from spam. They could be the spammers 
themselves or the guys doing the dirty work and then renting the botnets 
to spammers," he said.

"This is a business model that is obviously working. They wouldn't be 
going to these lengths if it wasn't making money," Stewart added.

The LURHQ researcher says the recent attack proves that businesses and 
consumers should be careful about depending on existing anti-virus 

In the initial stages of the Mocbot attack, only one-third of anti-virus 
scanners tested by Stewart's research team were detecting the malware.

"This was just a minor variant of something that was out there for 
months but the majority of scanners were missing it," he said.

Even more worrisome is the fact that the attack included the use of 
botnet instructions to download the second-stage Trojan executable.

"In this case, it was a spam proxy Trojan, but what if it was a rootkit? 
The rookits are getting so good these days that the programs we 
typically rely on to find and clean machines just can't see them.  
There is still the possibility that the spammers could slip in a rootkit 
to hide things forever," he said.

"It's getting to the point where you might want to consider just 
rebuilding and reformatting machines after these attacks. If your 
security software doesn't spy on the botnet and know exactly what is 
being dumped on the machine, the malware can go undetected for a long 
time," Stewart said.

The lesson? "Don't get infected in the first place," Stewart said. He 
urged IT administrators to apply critical patches early and maintain 
several levels of defense against malware, including firewalls, 
anti-virus and system hardening.

HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: 

Site design & layout copyright © 1986-2015 CodeGods