Security

Morto: Not your average creepy-crawly worm

As malware goes, Morto has something new to offer. It's conversant in DNS-speak. Michael Kassner describes how it works.

You already know how to keep malware at bay. We purveyors of IT security are all over the subject. So it's okay to ask. Why in the heck write about malware — yet again?

Simple. Malware coders are busy. Meaning, things have changed since I wrote 10 ways to detect malware and 10 more ways to detect malware, particularly when it comes to phoning home for orders.

Next question

Why a digital worm? They're so yesterday, barely worth the effort when compared to trojans and rootkits, the current malware du jour. True, except for one new and improved wiggler.

Worm refresher

What is a worm? It is commonly defined as malware that can infect and replicate without our help. It does so by using:

  • Penetration tools: Leverages vulnerabilities on the victim computer to gain access.
  • Installers: Transfers the main body of malcode to the victim.
  • Discovery tools: Locates other computers on the network, along with e-mail addresses, Host lists, and DNS information.
  • Scanners: Determine if any of the newly-found target computers are vulnerable to the exploits available in its penetration tool.
  • Payload droppers: Additional malcode can be deposited to carry out the wishes of the worm developer.

Like most malware today, worms begin their journey as a drive-by download attached to a malicious website or a compromised official website. Once safely embedded, computer worms immediately start checking for other susceptible computers - the need to procreate is over-powering.

A worm called Morto

Enough generalities, we're here to learn about an Internet worm called Morto. On the surface, it's typical. But, investigators did find something odd. Like no other malware, Morto propagates using Remote Desktop Protocol (RDP). You may recognize it as Microsoft's way to remotely access computers:

I'm guessing, with RDP so prevalent, Morto developers thought it would be a great way to locate and access other computers on the same network.

Most pros — and I agree — think using RDP is lame. First, RDP is not enabled by default on Windows 7. That stops Morto cold. As I see it, finding computers with RDP enabled is most likely to occur in a business setting. Doing so helps harried system admins fix computer problems without having to wander all over the building.

Regardless, it's easy to side-step Morto. Just change the port number to something other than the default of 3389. And, make sure all admin user accounts have complex passwords.

Command and control

I'm glad you stuck with me through the prelims. Now it gets interesting.

The importance of command and control (C and C) communications cannot be overstated. Ask any military aficionado.

That fact is not lost on malware developers. Rather than flying blind, they started exchanging information with infected computers using Internet Relay Chat (IRC). IRCBots is one example. Currently, the method of choice for sending C and C traffic employs programs like Twitter and Facebook messaging.

Morto is unique

Upon first glance, Morto does not appear to have any means to communicate. Strange. Being new malcode, I'd expect it to.

Then I came across the blog, "Morto worm sets a (DNS) record," by Symantec's Cathal Mullaney. While reverse-engineering Morto, a team from Symantec discovered something. Morto can communicate. It phones home using the Domain Naming System (DNS).

Darn. Yet another hole punched in the beleaguered DNS protocol. Here's how Symantec figured out what Morto was doing:

"While examining W32.Morto, we noticed that it would attempt to request a DNS record for a number of URLs that were hard-coded into the binary. This is by no means unusual or unique, but when we examined the URLs, we noticed that there were no associated DNS A records returned from our own DNS requests.

On further investigation, we determined that the malware was actually querying for a DNS TXT record only — not for a domain to IP lookup — and the values that were returned were quite unexpected."

Here are the results (courtesy of Symantec):

Symantec explains what the Morto-infected computer does with this information:

"The threat clearly expected this type of response as it proceeded to validate and decrypt the returned TXT record. The decrypted record yielded a customary binary signature and an IP address where the threat could download a file (typically another malware) for execution."

The downloaded file is the payload I described earlier. And it's up to the Morto developers as to what additional malcode will be downloaded and installed.

Final thoughts

On a grand scale, Morto does not have the wow-factor of malware like Zeus. Still, it feels like a significant step — a leap, maybe — in the evolution of malware. Communicating via DNS TXT records is subtle, yet effective — exactly what the bad guys want.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks