August 31, 2011

Morto using DNS for command-and-control

Morto, the first-ever worm to spread via Windows Remote Desktop Protocol (RDP), is not only unique because of its propagation mechanism – it also uses a novel vector, domain name system (DNS) records, to communicate with infected machines, a Symantec researcher said Wednesday.

The DNS is a critical component of internet infrastructure that translates IP addresses into memorable domain names, such as SCMagazineUS.com.

Specifically, Morto uses DNS TXT records for its communication protocol, Cathal Mullaney, security response engineer at Symantec, said in a blog post Wednesday. Such records were originally used to allow text to be stored with a DNS record. Nowadays, however, they more often are used to store machine-readable data.

“The worm's use of DNS TXT records is an unusual method of issuing commands to the remote threat while keeping the C&C [command-and-control] vector under the radar,” Mullaney wrote.

When analyzing the malware, researchers discovered that once installed on a machine, it attempts to request a DNS record for a number of URLs. But instead of asking for a domain IP lookup, the malware queries for TXT data only. The returned TXT record contains instructions the malware should perform on compromised systems.

“The threat clearly expected this type of response as it proceeded to validate and decrypt the returned TXT record,” Mullaney wrote. “The decrypted record yielded a customary binary signature and an IP address where the threat could download a file (typically another malware) for execution.”

Researchers earlier this week warned that Morto is spreading in the wild, targeting Windows workstations and servers. The worm is the first to propagate via RDP, a technology developed by Microsoft that enables users to remotely connect to their computer.

It spreads by scanning infected computers' local networks for machines with RDP enabled. When a remote desktop server is found, the malware then attempts to use dozens of weak passwords, such as “123,” “admin” or “password," to login as the administrator.

Related Articles
Related Topics

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.