August 31, 2011

Morto using DNS for command-and-control

Morto, the first-ever worm to spread via Windows Remote Desktop Protocol (RDP), is not only unique because of its propagation mechanism – it also uses a novel vector, domain name system (DNS) records, to communicate with infected machines, a Symantec researcher said Wednesday.

The DNS is a critical component of internet infrastructure that translates IP addresses into memorable domain names, such as SCMagazineUS.com.

Specifically, Morto uses DNS TXT records for its communication protocol, Cathal Mullaney, security response engineer at Symantec, said in a blog post Wednesday. Such records were originally used to allow text to be stored with a DNS record. Nowadays, however, they more often are used to store machine-readable data.

“The worm's use of DNS TXT records is an unusual method of issuing commands to the remote threat while keeping the C&C [command-and-control] vector under the radar,” Mullaney wrote.

When analyzing the malware, researchers discovered that once installed on a machine, it attempts to request a DNS record for a number of URLs. But instead of asking for a domain IP lookup, the malware queries for TXT data only. The returned TXT record contains instructions the malware should perform on compromised systems.

“The threat clearly expected this type of response as it proceeded to validate and decrypt the returned TXT record,” Mullaney wrote. “The decrypted record yielded a customary binary signature and an IP address where the threat could download a file (typically another malware) for execution.”

Researchers earlier this week warned that Morto is spreading in the wild, targeting Windows workstations and servers. The worm is the first to propagate via RDP, a technology developed by Microsoft that enables users to remotely connect to their computer.

It spreads by scanning infected computers' local networks for machines with RDP enabled. When a remote desktop server is found, the malware then attempts to use dozens of weak passwords, such as “123,” “admin” or “password," to login as the administrator.

Related Articles
Related Topics

More in News

Attackers use Skype, other IM apps to spread Liftoh trojan

Countries in Latin America have been the primary targets in this campaign, researchers say.

Scammers on the hunt for Memorial Day deal watchers

Like they do with major news events and other holidays, online fraudsters are seeking to cash in on the upcoming Memorial Day weekend.

Proxy research firm settles charges with SEC over client breach

Institutional Shareholder Services (ISS), a research firm the advises clients on voting in proxy fights, must pay $300,000 to the U.S. Securities and Exchange Commission.