Death worm phones home over DNS

Powered by SC Magazine
 

The Windows Morto worm uses DNS TXT records to contact servers.

Morto, the first-ever worm to spread via Windows Remote Desktop Protocol (RDP), is not only unique because of its propagation mechanism – it also uses a novel vector, domain name system (DNS) records, to communicate with infected machines, a Symantec researcher said Wednesday.

The DNS is a critical component of internet infrastructure that translates IP addresses into memorable domain names.

Specifically, Morto uses DNS TXT records for its communication protocol, Cathal Mullaney, security response engineer at Symantec, said in a blog post Wednesday. Such records were originally used to allow text to be stored with a DNS record. Nowadays, however, they more often are used to store machine-readable data.

“The worm's use of DNS TXT records is an unusual method of issuing commands to the remote threat while keeping the C&C [command-and-control] vector under the radar,” Mullaney wrote.

When analyzing the malware, researchers discovered that once installed on a machine, it attempts to request a DNS record for a number of URLs. But instead of asking for a domain IP lookup, the malware queries for TXT data only. The returned TXT record contains instructions the malware should perform on compromised systems.

“The threat clearly expected this type of response as it proceeded to validate and decrypt the returned TXT record,” Mullaney wrote. “The decrypted record yielded a customary binary signature and an IP address where the threat could download a file (typically another malware) for execution.”

Researchers earlier this week warned that Morto is spreading in the wild, targeting Windows workstations and servers. The worm is the first to propagate via RDP, a technology developed by Microsoft that enables users to remotely connect to their computer.

It spreads by scanning infected computers' local networks for machines with RDP enabled. When a remote desktop server is found, the malware then attempts to use dozens of weak passwords, such as “123,” “admin” or “password," to login as the administrator.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Death worm phones home over DNS
 
 
 
Top Stories
Abbott brings back Science minister in cabinet reshuffle
Science tacked onto to Industry title.
 
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  3%
 
A Federal Government agency (ATO, Centrelink etc)
  19%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1902

Vote
Do you support the abolition of the Office of the Information Commissioner?