Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Week's Windows Attack Turns PCs Into Spam Zombies

The bot that began infecting Windows PCs last weekend using a bug disclosed by Microsoft the previous week was after machines to add to a spam-spewing network of so-called "zombies," a security research firm said.

In a research report posted to its Web site, Chicago-based LURHQ concluded that the most recent version of Mocbot -- also called Wargbot and Graweg -- that exploited the vulnerability patched in the Aug. 8 MS06-040 security bulletin was "not especially unique."

By using a "sandnet" -- a tool which creates a virtual Internet through which malware can romp without endangering real systems -- LURHQ was able to spy on the command and control instructions issued to Mocbot by its controller, or bot herder.

"The bot herder cannot tell the difference between us and one of the bots," LURHQ reported in its write-up. "[But] active probing of the bot by the bot herder using built-in commands could give away our presence." Instead, LURHQ's researchers were able to monitor traffic between the bot and its herder, decrypt it, and read it in near-real-time.

Among the first commands that Mocbot receives is to download another piece of malicious code, a spam proxy Trojan horse dubbed Ranky. (Other security vendors, notably Symantec, also uncovered the Mocbot-Ranky connection this week.)

  • 1