Mocbot (MS06-040) Spam Analysis

The Mocbot variant found exploiting the vulnerability described in MS06-040 is not especially unique. Many different malware variants use IRC as a command-and-control (C&C) channel. In this article we explore the Mocbot C&C in order to gain a better understanding of the reason for Mocbot's existence.

The C&C servers, bniu.househot.com and ypgw.wallloan.com have been published in most writeups of Mocbot. But, even if we know the correct port number for the IRC server (18067), it is inadvisable to simply connect to the server using a sandard IRC client to poke around. This kind of action might get you banned from the server (if you're lucky) or DDoSsed.