Donbot is primarily a spam bot, one of the few spam botnets whose growth was not hampered by the McColo shutdown earlier this year.  As a matter of fact, the sudden shut down of big spammers like Srizbi and Rustock helped Donbot climb the spam botnet rankings.  In this article I am going discuss different aspects of Donbot, first as a malware and then in the later half I will try to shed some light on its command and control architecture.

Lets start with a particular donbot sample (273a07dccdfff421bfde652912f02e32).  Like its peer botnets (Ozdok, Xarvester etc), Donbot is also a template based spam bot.  Everything from the subject line to the mailing list, the message body, and the User Agents to be used in the SMTP headers are retrieved from the CnC server. 

We have taken a look at a couple of the Gumblar associated malware samples, you can see some VirusTotal results here & here.

A leap into the unknown is a series which will discuss some lesser known malware, that has a reasonably good command and control structure.  Most of this malware might not be totally new to the AVs, but they were never considered for more than just creating a signature.  Little or no effort has been made to disclose the motivation behind creating this malware, the CnC architecture, or the people behind it.  These articles are not to prove that "My (discovered) botnet is bigger than yours".  No offense to those who may already know about this malware and might not agree with the word 'unknown' in the title of this article. There is always someone who knows more than you do.