分类: 网络与安全
2011-09-03 23:00:55
Detection last updated: Definition: 1.111.1134.0 Released: Aug 31, 2011 |
Detection initially created: Definition: 1.111.868.0 Released: Aug 27, 2011 |
In the wild, we have observed this threat infecting computers by targeting accounts that have 'weak' passwords.
To help prevent infection, and consequent re-infection, we recommend making sure that your organization uses strong passwords for system and user accounts, and verifying that you do not use passwords like those being used by the malware in order to spread. Changing your password will significantly decrease your chance of re-infection.
To thwart this and similar threats, it helps to adhere to best password practices, defined and enforced by appropriate policies. Good polices include, but are not limited to:
For general information about password best practices, please see the following articles:
To help prevent re-infection after cleaning, you may also want to consider changing the password for every account on the network, for every user in your environment.
The following system changes may indicate the presence of this malware:
In subkey: HKLM\SYSTEM\Wpa
Sets value: it
Sets value: id
Sets value: sn
Sets value: ie
Sets value: md
Sets value: sr
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows
Sets
value: "NoPopUpsOnBoot"
With data: "1"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets
value: "ServiceDll"
With data: "%windir%\temp\ntshrui.dll"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets
value: "Description"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens
Sets
value: "DependOnService"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
Sets
value: "ServiceDll"
With data: "<system
folder>\sens32.dll"
Worm:Win32/Morto.A is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.
InstallationThe malware consists of several components, including an executable dropper component (the installer), and a DLL component which performs the payload.The following files are also created by the malware:
The following registry modifications are made to load the DLLs as services upon system boot:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets
value: "ServiceDll"
With data: "%windir%\temp\ntshrui.dll"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets
value: "Description"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens
Sets
value: "DependOnService"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
Sets
value: "ServiceDll"
With data: "<system
folder>\sens32.dll"
Initially, these files are clean and benign DLLs. They are used to load clb.dll in the same way as regedit. They may be replaced later on with malicious components which are downloaded to:
and replace sens32.dll via a value in the following registry subkey:
Once loaded as a service inside svchost.exe, the encrypted code housed in HKLM\SYSTEM\WPA is then read by clb.dll, loaded and executed. This contains the worm functionality (see below for additional detail).
Spreads via…Compromising Remote Desktop connections on a network: Port 3389 (RDP)
Worm:Win32/Morto.gen!A cycles through IP addresses on the affected computer's subnet and attempts to connect to located systems using the following user names:
1
actuser
adm
admin
admin2
administrator
aspnet
backup
computer
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test2
test3
user
user1
user5
with the following
passwords:
*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user
If the worm is successful at logging
into a system, it then copies clb.dll to a.dll on the computer and creates a file .reg in a directory which is
temporarily mapped to A: (both of which are
remotely executed on the remote system by way of the \\tsclient\a share).
The file r.reg,
contains the following:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:0
"EnableLUA"=dword:0
[HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Layers]
"c:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"c:\\winnt\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2008\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2k8\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win7\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\windows7\\system32\\rundll32.exe"="RUNASADMIN"
The
intention of importing this reg file appears to be to modify the registry to
ensure that rundll32.exe runs with Administrator privileges, and thus that the malware's
DLL, clb.dll does too.
Contacts remote host
Worm:Win32/Morto.A connects to the following hosts in order to download additional information and update its components:
210.3.38.82
jifr.info
jifr.co.cc
jifr.co.be
jifr.net
qfsl.net
qfsl.co.cc
qfsl.co.be
Newly downloaded components are
downloaded to a filename that uses the following format:
~MTMP<4 digits 0-f>.exe
Performs
Denial of Service attacks
Morto may
be ordered to perform Denial
of Service attacks against attacker-specified targets.
Terminates processes
Morto.A
terminates processes that contain the following strings. The selected strings
indicate that the worm is attempting to stop processes related to popular
security-related applications.
ACAAS
360rp
a2service
ArcaConfSV
AvastSvc
avguard
avgwdsvc
avp
avpmapp
ccSvcHst
cmdagent
coreServiceShell
ekrn
FortiScand
FPAVServer
freshclam
fsdfwd
GDFwSvc
K7RTScan
knsdave
KVSrvXP
kxescore
mcshield
MPSvc
MsMpEng
NSESVC.EXE
PavFnSvr
RavMonD
SavService
scanwscs
SpySweeper
Vba32Ldr
vsserv
zhudongfangyu
Clears system event log
Worm:Win32/Morto deletes system event logs categorized in the following:
Morto stores configuration data in the subkey HKLM\SYSTEM\Wpa using the following registry values:
HKLM\SYSTEM\Wpa\it
HKLM\SYSTEM\Wpa\id
HKLM\SYSTEM\Wpa\sn
HKLM\SYSTEM\Wpa\ie
HKLM\SYSTEM\Wpa\md
HKLM\SYSTEM\Wpa\sr
It also makes the following registry modification:
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows
Sets
value: "NoPopUpsOnBoot"
With data: "1"
Analysis by Matt McCormack
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.Instructions on how to download the latest versions of some common software is available from the following:
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.
You can configure UAC in your computer to meet your preferences:
Most scanning and removal software can detect and prevent the installation of known malicious software and potentially unwanted software such as adware or spyware. You should frequently run a scanning and removal tool that is updated with the latest signature files. For more information, see .
Use caution with attachments and file transfersExercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
Use caution when clicking on links to webpagesExercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a webpage with harmful content.
Avoid downloading pirated softwareThreats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, please see our article ''.
Protect yourself from social engineering attacksWhile attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a system, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted system. For more information, please see our article ''.
Use strong passwordsAttackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols. For more information, see .
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
Note: Users affected by this worm may be prompted to reboot their computers as part of the cleaning process, and then prompted to run a full scan after rebooting.
For more information on antivirus software, see .
In the wild, we have observed this threat infecting computers by targeting accounts that have 'weak' passwords.
To help prevent infection, and consequent re-infection, we recommend making sure that your organization uses strong passwords for system and user accounts, and verifying that you do not use passwords like those being used by the malware in order to spread. Changing your password will significantly decrease your chance of re-infection.
To thwart this and similar threats, it helps to adhere to best password practices, defined and enforced by appropriate policies. Good polices include, but are not limited to:
For general information about password best practices, please see the following articles:
To help prevent re-infection after cleaning, you may also want to consider changing the password for every account on the network, for every user in your environment.