Botnet Eavesdropping: Inside the Mocbot (MS06-040) Attack
,----[ Quote ]
| When Joe Stewart spotted a variant of the Mocbot Trojan hijacking
| unpatched Windows machines for use in IRC-controlled botnets, hei
| mmediately went to work trying to pinpoint the motive for the attacks.
|
| [...]
|
| "The only way to be [completely] sure the system is malware-free is
| to completely wipe the hard drive and reinstall the operating system,"
| he said.
|
| [...]
|
| "The entire scheme of mass infection is simply to facilitate the sending
| of spam. The proxy Trojan is also a bot of sorts; reporting in to a
| master controller to report its IP address and the socks port for use
| in the spam operation," Stewart said.
|
| [...]
|
| He immediately started seeing "loads of spam being pumped through our
| socks server." This was coming from dozens of IP addresses and using
| forged sender addresses.
|
| The spam e-mails, which are now being pumped from infected Windows
| desktops, represented a range of the typical junk mail, Stewart said.
|
| He found mail advertising everything from pornography to fake Rolex
| watches and pharmaceuticals.
|
| [...]
|
| "It's getting to the point where you might want to consider just
| rebuilding and reformatting machines after these attacks. If your
| security software doesn't spy on the botnet and know exactly what
| is being dumped on the machine, the malware can go undetected for
| a long time," Stewart said.
`----
http://www.eweek.com/article2/0,1895,2004922,00.asp
|
|
