ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
The Register of Known Spam Operations
Vincent Chan gang

Evidence Menu:

Vincent Chan gang Index

Country: Hong Kong
Vincent Chan and his Chinese partners have been sending spam for years. They mainly do pharmacy, and are able to send out huge amounts daily. They use vast numbers of compromised computers -- for sending, hosting and proxy hijacking. Now seem to be an "oursourced" server obtainer for other spam gangs.

Vincent Chan gang SBL Listings History
Current SBL Listings
Archived SBL Listings

Involvement in Mocbot

Mocbot is a bot that exploits the vulnerabilities mentioned in MS06-040. When this was first discovered in august of 2006 one of the first spam seen being sent through machines compromised with that bot are known to be of the Vincent Chan gang. This suggest either involvement with this bot or a very close relationship to the creators of it.


From (the second and third samples are by Vincent Chan and his partners-in-spam):

Release Date
August 15, 2006

The recent Mocbot variant found exploiting the vulnerability described in MS06-040 is not especially unique. Many different malware variants use IRC as a command-and-control (C&C) channel. In this article we explore the Mocbot C&C in order to gain a better understanding of the reason for Mocbot's existence.

The C&C servers, and have been published in most writeups of Mocbot. But, even if we know the correct port number for the IRC server (18067), it is inadvisable to simply connect to the server using a sandard IRC client to poke around. This kind of action might get you banned from the server (if you're lucky) or DDoSsed.

The botherder can tell the difference between the bots and an interloper by noting the nickname and username of the connecting client. Bots usually generate their login information using an algorithm, so unless you are using the same algorithm, you're going to stick out like a sore thumb.

The easiest way to get the information you need to spy on the C&C without being spotted is to run the bot in a sandnet, and let it connect to a fake IRC server first. Then you can use the credentials to log in to the real server.

For Mocbot, we use the sandnet to obtain the following IRC login sequence generated by the bot:

USeR l l l l
NiCK n1-e6f01a0d
USeRHOST n1-e6eb410c
JOiN #n1 nert4mp1

We can then use telnet to connect to the C&C server on port 18067 and spy on the control channel.

Upon joining the control channel, "#n1", with the correct password, "nert4mp1", the botherder cannot tell the difference between us and one of the bots. However, active probing of the bot by the botherder using built-in commands could give away our presence - we could be discovered at any moment. Once again, this is risky business - don't do this unless you are prepared for the possibility of a DDoS attack on your IP address!

For now, however, we can see very little - the IRC server code has been stripped down to give almost no information to the client, except the channel topic line:

!Q gjcaekepejeocacdha

This is an encrypted command sequence, which, when decoded, reads;

i JOIN #p

The command "i" tells the bot to repeat the rest of the text back to the IRC server, causing it to now join another control channel, "#p". If we go ahead and join that channel, we see a new encrypted topic message:

!Q gfcagihehehadkcpcpgngfgegjgbcohagjhihagpgogecogdgpgncpgmdjhcgedgghcogkhagh

When decoded, the command reads:


The command "e" is an instruction to download and execute the file in the provided URL. Getting this file onto our system has been the goal all along. Antivirus scanning recognizes it as Trojan-Proxy.Win32.Ranky.fv - a spam proxy trojan.

So at this point, it seems as if this entire scheme of mass infection is simply to facilitate the sending of spam. The proxy trojan is also a bot of sorts; reporting in to a master controller to report its IP address and the socks port for use in the spam operation. If we once again mimic these operations, we can effectively join the spam proxy net, and see what is traversing it.

Using our sandnet again, we can see that the first thing the trojan does is bind to a port, and send a 4-byte UDP packet to Emulating this on an Internet connected network with a fake socks proxy that feeds into a blackhole SMTP server, we can infiltrate the proxy network.

Before too long, we begin to see loads of spam being pumped through our socks server, from dozens of IP addresses:

Received: from localhost ([] helo=lwaxana.gabriel.UFPE.BR)
.by with esmtp (Exim 3.67 #1 (gabriel)) <- forged
.id 8AHg7h-5464bE-00; Sun, 13 Aug 2006 17:09:11 -0800
Date: Sun, 13 Aug 2006 17:09:11 -0800
From: [removed]
To: [removed]
Subject: Beauty.Krystal
Message-Id: <>


Three women within 10 miles of your home
are interested in a "desperate get wild" date:

Teressa- 110lbs, 34c, blonde, tan
Krystal- 123lbs, 36d, brown hair
Kylie- 128lbs, 36bb, dark hair & skin

*Sex Depraved Housewives is a registered trademark.


Method to be de-listed.

Date: Sun, 13 Aug 2006 11:17:54 -1100
From: [removed]
User-Agent: Mozilla 4.74C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; U; PPC)
MIME-Version: 1.0
To: [removed]
Subject: it's here at
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit


Just wanted to tell you about the gifts I just bought for my mom.
This cyber site sells precisely what we have been hunting for
and it gives gives you the first-class service you deserve.
Simply check out the goods at


and tell me what you wanna purchase.

looked on and listened in organ a sort of
wishes her more shell than Tsa?"
single word Ata. They tried to get Lys note

Message-ID: <>
Date: Sun, 13 Aug 2006 23:24:20 +0400
From: [removed]
User-Agent: Opera/7.02 (Windows ME; U)
MIME-Version: 1.0
To: [removed]
Subject: last wk
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit


Thought you wanted to know about the present I just bought for my brother.
They've just been dying for a new time keeper, I just couldn't afford one,
well that is until i came upon


Geez. This site makes me confused as to why I even trouble myself with
making the voyage to the shopping center!

crisp points. And so, as night was drawing
I shell will not harm you
Africa understand why she refused. After the first

The spam is very typical of what we see these days, the sites advertised are hawking anything from porn to fake Rolexes to pharmaceuticals:

[Spam site 1] [Spam site 2]

Obviously there is money being made here - the economics of exploiting end-user systems for the purposes of spam has been an established business model for at least four years now.

Can your antivirus protect you from becoming part of the proxy network? Not by itself - we saw that with the release of Mocbot, only 1/3 of tested antivirus scanners detected it, even though it was little changed from the variants released over the previous six months. Another factor is the use of the IRC C&C to provide instructions to automatically download the second-stage trojan executable. If your antivirus company is not spying on these control channels on an ongoing basis, there is no way to know what malware is being installed after the initial infection. So, when you remove Mocbot from an infected system, the malware that was subsequently downloaded may go undetected for some time - which is fine with the botherder, as thats the executable they really wanted you to run anyway.

In the case of a system that has become infected with a trojan, worm or virus, unless you are a malware expert, the only way to be 100% sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system. The lesson here is to not become infected in the first place - which means upgrade and patch early, and maintain several levels of defense against malware, including firewalls, antivirus, system hardening. The most important defense however, is maintaining a general awareness of the threats facing Internet users each day.

The LURHQ Threat Intelligence Group would like to thank myNetWatchman for their valuable assistance in analyzing the Ranky trojan.

Related URLs

A description of MS06-040.
The original LURHQ analysis of MocBot which includes the pictures of the spamsites.

The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is:

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2016 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy