Morto Worms’ Squirmed Revelation

Morto Warm can be circulated by using the Remote Desktop Protocol and it employs a way out to contact its C&C for taking down instructions through Domain Name System (DNS) TXT records, according to the news published in HELP NET SECURITY on September 02, 2011.

Security firm Symantec asserts that though a lot of mileage has been given to the recent RDP capable W32.Morto worm, one of the most significant aspects related to the worm's behavior has been left out. Most of the malware studied of recent constitutes some means of communication with a remote Command and Control (C&C) server. However, the actual vector of communication seems to differ between threats.

For instance, W32.IRCBot employs Internet Relay Chat channels while the latest malware threat, Trojan.Downbot is competent of reading commands that are embedded in the HTML pages and even image files. W32.Morto has also supplemented itself by adding another C&C communication vector by providing remote commands via Doman Name System (DNS) records.

While investigating the concept of W32.Morto, Security Response Engineer at Symantec,
Cathal Mullaney, explained that the virus would attempt to request a DNS record for various URLs that were hard-coded into the binary, as reported in news published in HELP NET SECURITY on September 02, 2011.

The researchers further asserted that DNS is mainly employed for translating human readable URLs including "Symantec.com", into numerical identifiers (216.12.145.20). Each URL on the Internet is gradually resolved to an associated IP address by employing this system, by using a DNS A record for IPv4. It is the A record what is usually talked about while discussing DNS.

However, this is not a bizarre activity and on examining the URLs, experts did notice that there were no associated DNS A records that restored back on DNS request. Mullaney also reported that on further investigation, the malware was found to be actually inquiring for a DNS TXT record only and not exactly for a domain to IP lookup. Even the values that retreaded were quite unanticipated.

Apart from all these, Symantec also disclosed that W32.Morto constitutes various interesting characteristics including the RDP propagation raising many eye brows of recent; safeguarding the encrypted payload code in the system registry; and substituting many smaller system DLLS with its own payload code.

Related article: Marriott Hacker Gets Sentenced to Jail

» SPAMfighter News - 9/12/2011