Security

Morto: Not your average creepy-crawly worm

As malware goes, Morto has something new to offer. It's conversant in DNS-speak. Michael Kassner describes how it works.

You already know how to keep malware at bay. We purveyors of IT security are all over the subject. So it's okay to ask. Why in the heck write about malware -- yet again?

Simple. Malware coders are busy. Meaning, things have changed since I wrote 10 ways to detect malware and 10 more ways to detect malware, particularly when it comes to phoning home for orders.

Next question

Why a digital worm? They're so yesterday, barely worth the effort when compared to trojans and rootkits, the current malware du jour. True, except for one new and improved wiggler.

Worm refresher

What is a worm? It is commonly defined as malware that can infect and replicate without our help. It does so by using:

  • Penetration tools: Leverages vulnerabilities on the victim computer to gain access.
  • Installers: Transfers the main body of malcode to the victim.
  • Discovery tools: Locates other computers on the network, along with e-mail addresses, Host lists, and DNS information.
  • Scanners: Determine if any of the newly-found target computers are vulnerable to the exploits available in its penetration tool.
  • Payload droppers: Additional malcode can be deposited to carry out the wishes of the worm developer.

Like most malware today, worms begin their journey as a drive-by download attached to a malicious website or a compromised official website. Once safely embedded, computer worms immediately start checking for other susceptible computers - the need to procreate is over-powering.

A worm called Morto

Enough generalities, we're here to learn about an Internet worm called Morto. On the surface, it's typical. But, investigators did find something odd. Like no other malware, Morto propagates using Remote Desktop Protocol (RDP). You may recognize it as Microsoft's way to remotely access computers:

I'm guessing, with RDP so prevalent, Morto developers thought it would be a great way to locate and access other computers on the same network.

Most pros -- and I agree -- think using RDP is lame. First, RDP is not enabled by default on Windows 7. That stops Morto cold. As I see it, finding computers with RDP enabled is most likely to occur in a business setting. Doing so helps harried system admins fix computer problems without having to wander all over the building.

Regardless, it's easy to side-step Morto. Just change the port number to something other than the default of 3389. And, make sure all admin user accounts have complex passwords.

Command and control

I'm glad you stuck with me through the prelims. Now it gets interesting.

The importance of command and control (C and C) communications cannot be overstated. Ask any military aficionado.

That fact is not lost on malware developers. Rather than flying blind, they started exchanging information with infected computers using Internet Relay Chat (IRC). IRCBots is one example. Currently, the method of choice for sending C and C traffic employs programs like Twitter and Facebook messaging.

Morto is unique

Upon first glance, Morto does not appear to have any means to communicate. Strange. Being new malcode, I'd expect it to.

Then I came across the blog, "Morto worm sets a (DNS) record," by Symantec's Cathal Mullaney. While reverse-engineering Morto, a team from Symantec discovered something. Morto can communicate. It phones home using the Domain Naming System (DNS).

Darn. Yet another hole punched in the beleaguered DNS protocol. Here's how Symantec figured out what Morto was doing:

"While examining W32.Morto, we noticed that it would attempt to request a DNS record for a number of URLs that were hard-coded into the binary. This is by no means unusual or unique, but when we examined the URLs, we noticed that there were no associated DNS A records returned from our own DNS requests.

On further investigation, we determined that the malware was actually querying for a DNS TXT record only -- not for a domain to IP lookup -- and the values that were returned were quite unexpected."

Here are the results (courtesy of Symantec):

Symantec explains what the Morto-infected computer does with this information:

"The threat clearly expected this type of response as it proceeded to validate and decrypt the returned TXT record. The decrypted record yielded a customary binary signature and an IP address where the threat could download a file (typically another malware) for execution."

The downloaded file is the payload I described earlier. And it's up to the Morto developers as to what additional malcode will be downloaded and installed.

Final thoughts

On a grand scale, Morto does not have the wow-factor of malware like Zeus. Still, it feels like a significant step -- a leap, maybe -- in the evolution of malware. Communicating via DNS TXT records is subtle, yet effective -- exactly what the bad guys want.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

46 comments
ejhonda
ejhonda

Had a laptop turn up with a Morto infection. Symantec's SEP v11 didn't detect it. Had to reformat the laptop in order to be sure it was clean. Wondering if this thing has continued to morph.

bkindle
bkindle

Ha, I had someone tell me the other day I needed to dump LogMeIn and go back to RDP because LMI was unsecure and banned in 40 states.......and they were serious too. I love reading information that's contradictory of those claims! With that out of the way, this sounds like a nasty little worm, the fact that it is using DNS to exploit the heart of a network, a DNS server and it's replies. Am I understanding that correctly?

xangpow
xangpow

If you have someone that keeps using easy to break passwords, even after explaining why you would need hard passwords, would it be safe to say the just changing the port number would be enough? (I have gotten to the point that I leave him alone. When something happens I just look at him and he swares that either 1) "I HAD a complex password" or 2) "The password had nothing to do with it." I just think "well HE is the reason I might not get fired." lol)

link470
link470

What did you mean by "Most pros - and I agree - think using RDP is lame.". Just curious if you meant "the fact that this worm uses RDP is lame" or if you actually thought RDP was lame and most IT Pro's agree. I like using it myself, seeing as it's by far the easiest way to connect to a Windows Server for administration, and it's based on a Citrix core from what I know of. Just wanted to check, since I'd be surprised if many IT pro's think using RDP was lame as it's the only best option for many. I don't use it for connecting to client desktops, only servers. If it's the first one, then yes! I absolutely think the fact that it connects via RDP is lame.

andrewgauger
andrewgauger

I had to fight this one before the signatures for it was out. Came to the client and found computers logging in as 'a'. Who's 'a' I asked the client. You can only imagine they had no idea. A good learning experience to this is to audit your accounts. Remove all of them that aren't associated with a service or an individual. Furthermore, I'd appreciate the dns namespace associated with this worm, I'd like to check my wireshark logs from the time I was under attack shortly afterwards to check for the payload.

GavGavGav
GavGavGav

I would assume that DNS TXT records could all be blocked -- both inbound and outbound -- by any IPS worth its salt (and probably by most firewalls with half-decent packet inspection too). I don't believe anything would break in standard environments by doing so, though I'm no DNS guru. Incidentally it's interesting to see how Wikipedia describes the TXT record. I wonder if this is what gave the bad guys their "eureka" moment? "Originally for arbitrary human-readable text in a DNS record. Since the early 1990s, however, this record more often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework (although this provisional use of TXT records is deprecated in favor of SPF records), DomainKeys, DNS-SD, etc."

Neon Samurai
Neon Samurai

The good folks over at Metasploit already have a module and relevant wordlist for those who want to test for Morto vulnerability.

seanferd
seanferd

I always thought it odd that they had not been used in such a way previously. That, and redirecting queries for the MS NCSI txt. I love normal txt records, though, when implemented. they can be great for troubleshooting.

SkyNET32
SkyNET32

RDP on a PC effectively render Morto useless, instead of changing ports and passwords? Thanks... Philip

Craig_B
Craig_B

As far as Morto goes, it only uses some very simple passwords at this time to attack RDP, stuff like 12345, admin, password. Simply changing password to Password would block this attack. Of course using even more complex passwords containing UPPERCASE, lowercase, numbers and symbols will make it more secure.

pgit
pgit

Thanks for the heads up. I have a few user accessing rdc from over the internet. It's through a VPN, but then you never know what one of the employees is going to download...

Michael Kassner
Michael Kassner

What did they say about LogMeIn? I use it all the time and have not heard anything negative about it. As for the DNS server, the bad guys have theirs setup to transmit instructions to the malware payload. Morto used RDP to mess with the network it's attacking.

mclghlne
mclghlne

You can enforce "complex" passwords through Group Policy.

AnsuGisalas
AnsuGisalas

Would it be possible to treat him as outside the network... put up defenses between him and the rest of the network, just like with outward facing servers? In all other kinds of defense it'd be useful to know where the attack will come, why not with this? Maybe the metaphor is wrong?

Michael Kassner
Michael Kassner

Does that user have admin rights? if not, I do not believe it is an issue. Also changing the port will nullify this version of Morto. Can't say about the next-generation.

Michael Kassner
Michael Kassner

The experts I interviewed felt RDP was a bad choice for replication. RDP is not enabled on a vast majority of computers -- particularly consumer and home systems.

Michael Kassner
Michael Kassner

I remember seeing a list of the domains Morto tries to contact. But, I can't remember where. I will continue trying and post here if and when I find it. Sorry.

Michael Kassner
Michael Kassner

I also am not well-versed enough to know the answer. I certainly will try and find out though. Thanks for bringing it up.

Michael Kassner
Michael Kassner

How do you use the TXT files. I'd like to learn about that.

AnsuGisalas
AnsuGisalas

One soviet spy in England used yoghurt. He noticed that yoghurt spilled on the street was universally repugnant to all people. So, he used that as a binary signal. He'd splash a cup of yoghurt on the ground at the previously decided point, never pausing or looking back. The person to receive the message would walk by and take note of the color of the yoghurt, white = 0, red = 1. Urban people have trained themselves *not* to pay attention to vile substances on the ground (beyond what's necessary to avoid stepping in them). Works against counterintelligence too.

Michael Kassner
Michael Kassner

At least for this iteration of Morto. I can't speak for future versions. With that in mind, I am trying to find out if RDP can be enabled remotely. My concern is more towards the way Morto communicates. I suspect other malware developers will incorporate it.

bboyd
bboyd

Polymorphic does include adding more abilities. Just as Zues controllers move into the phone systems, this may add higher grade password breaking, more complex dictionaries will lead to brute forcing and then tailored rainbow tables. Maybe C&C will fine tune attacks toward choice targets and all Morto is for is a toe hold to root main services in businesses.

Michael Kassner
Michael Kassner

I wasn't worried about that. My thrust was to showcase the new-found ability to communicate using DNS.

Michael Kassner
Michael Kassner

For now all that is required to secure the client is a stiff password and or using a port other than 3389. I'm more curious as to how using the DNS TXT to communicate will shake out. I'm not sure how that can be mitigated.

bkindle
bkindle

I think they were just blowing smoke about nothing. This particular person tends to believe their own B.S. and blames all IT problems on vendors, not how it's implemented or actually supposed to function. They told me that the state of Georgia banned it because it was unsecure and full of security holes, and then proceeded to tell me that I had to go back to using RDP for everything over a VPN. That's fine, but then I can't support my folks when they can't use the VPN client, hence why LogMeIn is a lifesaver. It's not the first nor the last time I will hear this kind of tripe from this person. If you read the white paper and still feel unsafe, then maybe it's time to stop using the internet all together....... If Morto is using RDP on the inside of the network, that's enough for me to say I personally will not use RDP if at all possible, even if the default port is set differently. Thanks for the reply!

xangpow
xangpow

You know thats not a bad idea. So in essence I would be moving his office outside the building, right? He wants to work outside the guideline, we can put him outside the network.

mark
mark

worked for has RDP enabled on most Windows servers. We use RDP constantly for internal servers. i wouldnt put it on an outward facing server. (we only have unix and Linux on outward facing servers anyway)

link470
link470

Ah, now I get it. I didn't *think* you were saying IT Pro's thought RDP was lame, but that definitely makes sense about it being a bad choice for replication of malware. Yes, I agree too! Great article as always, thanks for the information.

aoreilly
aoreilly

I hope Microsoft does something to help with this. Small Business Server workstations need RDP enabled on port 3389 so that users and support can access their computers remotely. It's been a great feature of SBS so far. Great, but scary article - thanks!

seanferd
seanferd

nslookup -type=txt which.opendns.com. 208.67.220.220 or dig -t txt which.opendns.com. @208.67.220.220 if you use a Unix-like system or have DiG for Windows. The IP addresses for the resolver in the command ensure you use OpenDNS for the query if you don't have your network configured to use OpenDNS for your resolver. This tells you which location server you are using, which is handy for finding out why some people experience terrifying latency problems. If you are in Germany, and are routed by your ISP or some network provider to Chicago rather than Frankfurt or Amsterdam (Level 3, Roadrunner, I'm looking at you), it explains a lot. Sometimes I'll ask for a traceroute, and you'll see some customer routed past three closer resolver locations (including the one in the back yard) to some distant resolver because some ISP or IP or peering point is doing something really, really wrong. (And refuses to work with anyone to get their Anycast routing straightened out.) But it all depends on what a resolver or authoritative NS offers in terms of txt files. I just happen to do a lot of OpenDNS user support. (They also have a handy "debug" lookup.)

Michael Kassner
Michael Kassner

Kind of like them using a pencil and us using a million dollar pen.

sgriffithsnz
sgriffithsnz

enable RDP via changing the registry? I've done it before to servers, so would assume there's nothing to stop them trying (obviously they'd need access from another machine to do this, but if they've compromised that machine you would expect them to be not too far behind others).

pgit
pgit

With that in mind, I am trying to find out if RDP can be enabled remotely." I have looked at this myself, a client wanted to be able to do this. I told him I thought it was a bad idea, but he still wanted this capability. Fortunately, you might say, I was unable to come up with a way to do it without opening things up to the point of having no firewall, and without some other remote access tool already enabled. (ergo what's the point) We settled on a VPN on non standard ports, and the RDP server is running 24/7, but behind two solid firewalls, one isolating the VPN and allowing that channel to only access the one machine. Additionally, though that machine is on a private LAN with a large number of peers, it is only aware of a file server, and can't access any of it's peers. If RDP gets compromised on this machine it will be the only host infected. It's separate, isolated firewall (to the internet, with it's own global IP) sends me traffic reports. The usage is pretty consistent, so I think an active bot would be obvious. What I've never been able to do (but have tried in vain) is get something like nagios working, not only reporting but having the ability to reactively shut things down. It's difficulty lies in it's complexity. An individual config is "simple" (I suppose you could say) but to be useful there's a lot to juggle with.

Neon Samurai
Neon Samurai

My guess is that one would need only add the extra step to the initial dropper for initial penetrations into machines with RDP disabled. For Morto propogating under it's own power, the question becomes if there are any ports open infront of remote-execution vulns that it could leverage to "open the door". Be interested to see what you dig up though and how far off my guess is.

seanferd
seanferd

"rouge" employee, apparently. :p

Michael Kassner
Michael Kassner

I did not get a percentage, but most agreed that the number of enabled computers was significantly less than those in default condition. Something else to consider, the computers with RDP enabled are under the control of system admins. That usually means different ports and unique passwords. Finally, I do not think whether the server is internal or not matters. Once Morto is embedded, it will try to phone home using DNS.

bboyd
bboyd

No tiny if you may. My service here doesn't like Tiny'd URLs. My next question is a hash available at the level this will be using to penetrate. I've cleaned enough systems lately that I'm starting to drive my F&F that I help to use systems hardened for use only to go to financial sites. Of course if they are windows RDP gets turned off before it hits a network connection.

Michael Kassner
Michael Kassner

To make sure, SBS will not allow the use of an alternate port? I realize it would be additional work, but there are other services that might be a bit more secure. I have several clients that like Team Viewer and LogMeIn.

Neon Samurai
Neon Samurai

The worm is exploiting weak passwords rather than a vulnerable bug in the program code. If microsoft changes the default passwords then the worm's wordlist simply gets updated with the new passwords. Maybe it develops it's own brute force or hybrid attack. Hm.. my thought here was MS including a Fail2ban style program but they really alread have that if you've set a lockout login attempt limit. Does the RDP connection not trigger that same lockout like the uname/passwd login prompt? Me thinks I need to go grab my Metasploit and go get locked out of a test system..

Michael Kassner
Michael Kassner

Now all you have to worry about are individual instances of Morto doing their thing.

Michael Kassner
Michael Kassner

You are right, Morto can be successful without self-propagation