Morto, the first-ever worm to spread via Windows Remote Desktop Protocol (RDP), is not only unique because of its propagation mechanism – it also uses a novel vector, domain name system (DNS) records, to communicate with infected machines, a Symantec researcher said Wednesday.
The DNS is a critical component of internet infrastructure that translates IP addresses into memorable domain names.
Specifically, Morto uses DNS TXT records for its communication protocol, Cathal Mullaney, security response engineer at Symantec, said in a blog post Wednesday. Such records were originally used to allow text to be stored with a DNS record. Nowadays, however, they more often are used to store machine-readable data.
“The worm's use of DNS TXT records is an unusual method of issuing commands to the remote threat while keeping the C&C [command-and-control] vector under the radar,” Mullaney wrote.
When analyzing the malware, researchers discovered that once installed on a machine, it attempts to request a DNS record for a number of URLs. But instead of asking for a domain IP lookup, the malware queries for TXT data only. The returned TXT record contains instructions the malware should perform on compromised systems.
“The threat clearly expected this type of response as it proceeded to validate and decrypt the returned TXT record,” Mullaney wrote. “The decrypted record yielded a customary binary signature and an IP address where the threat could download a file (typically another malware) for execution.”
Researchers earlier this week warned that Morto is spreading in the wild, targeting Windows workstations and servers. The worm is the first to propagate via RDP, a technology developed by Microsoft that enables users to remotely connect to their computer.
It spreads by scanning infected computers' local networks for machines with RDP enabled. When a remote desktop server is found, the malware then attempts to use dozens of weak passwords, such as “123,” “admin” or “password," to login as the administrator.
This article originally appeared at scmagazineus.com
Copyright © SC Magazine, US edition
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.