In a research report posted to its Web site, Chicago-based LURHQ concluded that the most recent version of Mocbot -- also called Wargbot and Graweg -- that exploited the vulnerability patched in the Aug. 8 MS06-040 security bulletin was "not especially unique."
By using a "sandnet" -- a tool which creates a virtual Internet through which malware can romp without endangering real systems -- LURHQ was able to spy on the command and control instructions issued to Mocbot by its controller, or bot herder.
"The bot herder cannot tell the difference between us and one of the bots," LURHQ reported in its write-up. "[But] active probing of the bot by the bot herder using built-in commands could give away our presence." Instead, LURHQ's researchers were able to monitor traffic between the bot and its herder, decrypt it, and read it in near-real-time.
Among the first commands that Mocbot receives is to download another piece of malicious code, a spam proxy Trojan horse dubbed Ranky. (Other security vendors, notably Symantec, also uncovered the Mocbot-Ranky connection this week.)