August 31, 2011

Morto using DNS for command-and-control

Morto, the first-ever worm to spread via Windows Remote Desktop Protocol (RDP), is not only unique because of its propagation mechanism – it also uses a novel vector, domain name system (DNS) records, to communicate with infected machines, a Symantec researcher said Wednesday.

The DNS is a critical component of internet infrastructure that translates IP addresses into memorable domain names, such as SCMagazineUS.com.

Specifically, Morto uses DNS TXT records for its communication protocol, Cathal Mullaney, security response engineer at Symantec, said in a blog post Wednesday. Such records were originally used to allow text to be stored with a DNS record. Nowadays, however, they more often are used to store machine-readable data.

“The worm's use of DNS TXT records is an unusual method of issuing commands to the remote threat while keeping the C&C [command-and-control] vector under the radar,” Mullaney wrote.

When analyzing the malware, researchers discovered that once installed on a machine, it attempts to request a DNS record for a number of URLs. But instead of asking for a domain IP lookup, the malware queries for TXT data only. The returned TXT record contains instructions the malware should perform on compromised systems.

“The threat clearly expected this type of response as it proceeded to validate and decrypt the returned TXT record,” Mullaney wrote. “The decrypted record yielded a customary binary signature and an IP address where the threat could download a file (typically another malware) for execution.”

Researchers earlier this week warned that Morto is spreading in the wild, targeting Windows workstations and servers. The worm is the first to propagate via RDP, a technology developed by Microsoft that enables users to remotely connect to their computer.

It spreads by scanning infected computers' local networks for machines with RDP enabled. When a remote desktop server is found, the malware then attempts to use dozens of weak passwords, such as “123,” “admin” or “password," to login as the administrator.

Related Articles
Related Topics

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.