Mocbot MS06-040 IRC Bot Analysis

By | August 15, 2006

Mocbot first appeared in late 2005, using the MS05-039 PNP vulnerability in order to spread. Since it is fairly unremarkable IRC bot and was not even the first to use the MS05-039 exploit, it received little attention past the ordinary anti-virus writeups and signatures.

Amazingly, this new variant of Mocbot, still uses the same IRC server hostnames as a command-and-control mechanism after all these months. This may be partially due to the low-profile it has held, but also may be due to the fact that the hostnames and ip addresses associated with the command-and-control servers are almost all located in China. Historically Chinese ISPs and government entities have been less-than-cooperative in taking action against malware hosted and controlled from within their networks.Read Full Story

Leave a Reply