The file is a spam proxy Trojan named Win32.Ranky.fv. "The entire scheme of mass infection is simply to facilitate the sending of spam. The proxy Trojan is also a bot of sorts; reporting in to a master controller to report its IP address and the SOCKS port for use in the spam operation," Stewart said.Using the sandnet, he found that the Trojan was sending a 4-byte UDP packet to the "yu.haxx.biz" address. Stewart then mimicked this on an Internet connected network with a fake SOCKS proxy that feeds into a blackhole SMTP server to infiltrate the proxy network. He immediately started seeing "loads of spam being pumped through our SOCKS server." This was coming from dozens of IP addresses and using forged sender addresses. The spam e-mails, which are now being pumped from infected Windows desktops, represented a range of the typical junk mail, Stewart said. He found mail advertising everything from pornography to fake Rolex watches and pharmaceuticals. "It looks like this was a small, targeted attack for one simple reason. They wanted to stay under the radar. This is all about setting up small botnets and making money from spam. They could be the spammers themselves or the guys doing the dirty work and then renting the botnets to spammers," he said. Read more here about the Zotob worm attack of August 2005. "This is a business model that is obviously working. They wouldnt be going to these lengths if it wasnt making money," Stewart added. The LURHQ researcher says the recent attack proves that businesses and consumers should be careful about depending on existing anti-virus software. In the initial stages of the Mocbot attack, only one-third of anti-virus scanners tested by Stewarts research team were detecting the malware. "This was just a minor variant of something that was out there for months but the majority of scanners were missing it," he said. Even more worrisome is the fact that the attack included the use of botnet instructions to download the second-stage Trojan executable. "In this case, it was a spam proxy Trojan, but what if it was a rootkit? The rookits are getting so good these days that the programs we typically rely on to find and clean machines just cant see them. There is still the possibility that the spammers could slip in a rootkit to hide things forever," he said. "Its getting to the point where you might want to consider just rebuilding and reformatting machines after these attacks. If your security software doesnt spy on the botnet and know exactly what is being dumped on the machine, the malware can go undetected for a long time," Stewart said. The lesson? "Dont get infected in the first place," Stewart said. He urged IT administrators to apply critical patches early and maintain several levels of defense against malware, including firewalls, anti-virus and system hardening. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
With the spam proxy Trojan sitting on his test machine, Stewart was again able to join the spam proxy net to get an internal peek at the operations.