Mocbot’s Spam Motive

Mocbot appears to be almost a non-event, as we predicted. I’m tracking only around 25 infected systems right now in the /8 netblock where I run my honeypot. Still, it takes time for these things to get inside the corporate firewall sometimes, so we may yet see a couple of large organizations hit hard. In the meantime, ever wonder why someone would go through the trouble and risk of releasing malware like this? The answer is simple… money. And it all traces back to spam.

Mocbot reports back to a command-and-control channel to receive further instructions. One of these instructions we’ve witnessed is a command to download a spam proxy trojan known as Ranky. This turns the victim into a spam relay for every kind of spam you can imagine. I’ve detailed how the operation works, and what the spam looks like in a followup to the previous analysis.

The point here is that you never know what other malware may find its way onto a system once something like Mocbot has gotten a foothold. As the guys and gals at SANS like to say, “better to nuke the system from high orbit.”