Mytob variants have been appearing weekly since the spring. The family combines MyDoom-class mass-mailing propagation with Phatbot-class IRC-bot command-and-control. The hybrid architecture is structurally important.
This post is a longer treatment because the merging of categories matters more than any specific variant.
What Mytob is
Mytob's architecture combines elements from earlier malware families:
Mass-mailing propagation. Mytob propagates via email — collecting addresses from compromised hosts, sending itself to those addresses, repeating. The mass-mailing engine is similar to MyDoom's; the cumulative volume per variant is substantial.
IRC-bot command-and-control. Once installed, Mytob connects to a hardcoded IRC server, joins a specific channel, and waits for commands. The command vocabulary includes DDoS, additional-malware download, scanning for additional targets, credential harvesting.
Multiple exploitation paths. Beyond mass-mailing, Mytob can spread through specific Windows network exploits — LSASS, DCOM, weak SMB credentials. The cumulative exploitation surface is broader than mass-mailing alone.
Variant-specific customisation. Different variants connect to different IRC servers, target different victim populations, include different secondary functionality. The cumulative population of variants is large; specific signatures cannot keep pace.
The combination is the key property. Mytob is simultaneously a mass-mailer and a bot. The compromised population it builds is immediately usable for the same operations that earlier dedicated bot families supported.
Why merging the categories matters
Three observations.
The compromise infrastructure is more resilient. A pure mass-mailer (MyDoom style) loses propagation capability once enough operators filter the specific signature. A pure bot (Phatbot style) requires specific exploitation to grow. Mytob does both — mass-mailing builds the population while bot-style operations monetise it.
The economic infrastructure is more efficient. Operators who buy or rent compromised hosts no longer need separate populations for spam-relay, DDoS, and credential-theft purposes. A single Mytob population supports all of these. The cumulative economic value per compromised host grows.
The defensive response is harder. Defending against pure mass-mailers (mail filtering, attachment stripping) is operationally mature. Defending against pure bots (network filtering, anomalous-behaviour detection) is operationally mature. Defending against the hybrid requires both, simultaneously, with coordination across the defensive layers.
The merging is the structural shift. The threat landscape is consolidating; the dedicated-purpose malware families of 2003-2004 are giving way to multi-purpose hybrid families.
What is in the variants
Mytob has produced approximately fifty distinct variants by mid-2005 (specific count varies by source). The cadence is roughly weekly; the variant-specific differences are bounded.
Specific patterns across the variants:
The IRC-server pool varies. Each variant connects to one or more specific IRC servers; the cumulative server population is large enough that takedown is structurally difficult.
The mass-mailing payload varies. Subject lines, message bodies, attachment names — all differ across variants. The cumulative mail-relay-filter signature load is substantial.
The exploitation paths vary. Some variants emphasise mass-mailing; some emphasise network exploitation; some include both. The variation produces resistance to specific defensive approaches.
The secondary payloads vary. Some variants include credential-harvesting; some include rootkit components; some include specific commercial-cybercrime functionality. The variation reflects different operator preferences.
The variant-specific differences suggest specific authors are iterating, presumably motivated by economic incentives — different variants for different customers, or different variants to defeat specific defensive responses.
What operators should do
For mail-relay operators:
Continued aggressive filtering. Standard executable-attachment stripping; specific subject-line patterns; specific sender patterns. The cumulative catch rate is high.
Pattern-based detection beyond signatures. Behavioural analysis of incoming mail (unusual sender patterns, unusual attachment patterns, unusual content patterns) catches variants that signature-based approaches miss.
Outbound mail filtering. Compromised internal hosts attempting to mass-mail are detectable through outbound filtering. The detection is straightforward; the response is investigation.
For network operators:
Outbound IRC blocking at perimeters where IRC is not legitimate business. The bot command-and-control is disrupted; specific compromised hosts become operationally useless to their operators.
Anomalous-behaviour detection for compromised hosts. Workstations contacting many external IPs on uncommon ports; workstations with unexpected mail-relay activity; workstations with credential-harvesting patterns.
Patch management for the standard exploitation paths. Mytob's network-exploitation paths target patched vulnerabilities; operators with current patches are not added to the population.
For end users:
Standard malware defences. Antivirus, current patches, careful with attachments. The advice is unchanged from previous categories; the hosts that follow it are not added to the substrate.
What I am observing on my own infrastructure
The honeypot range is seeing substantial Mytob-class activity. Specific patterns:
- Mass-mailing attempts hitting the mail-relay; the standard filtering catches all of them.
- Network-exploitation attempts against the emulated Windows hosts; the captures show attempted IRC connections after compromise.
- Specific variants visible across multiple weeks; the cumulative variant inventory continues growing.
For my structured-log analysis: the volume of Mytob-related signal has grown substantially over the past quarter. Specific variants are visible in the captures; the cumulative trajectory matches the public reporting.
A reflection on the trajectory
The merging of mass-mailing and bot categories is the structural shift of 2005. Earlier years had distinct categories; the hybrid is now operationally dominant. Specific subsequent worms will probably continue the pattern; the dedicated single-purpose malware family is becoming a historical artefact.
The cumulative implication: the threat-actor population is increasingly integrated with the malware-author population. Specific operators run the bot infrastructure; specific authors produce the variants; specific customers monetise the compromised hosts. The cumulative economic infrastructure operates as a coherent ecosystem.
For my own writing: more on this trajectory as it develops. The cumulative archive of bot-and-worm writing will be useful reference for understanding the broader category evolution.
More in time.