There has been a lot of coverage of the recent RDP capable
W32.Morto
worm, but one of the more interesting aspects of the worm’s behavior
appears to have been overlooked. Most malware that we have seen recently
has some means of communication with a remote Command and Control
(C&C) server. The actual vector of communication tends to vary
between threats. For example,
W32.IRCBot uses Internet Relay Chat channels whereas the recent high profile threat,
Trojan.Downbot,
is capable of reading commands embedded in HTML pages and image files.
W32.Morto has added another C&C communication vector by supplying
remote commands through Domain Name System () records.
DNS is primarily used to translate human readable URLs, such as
“Symantec.com”, into numerical network identifiers (216.12.145.20).
Every URL on the Internet is eventually resolved to an associated IP
address using this system, typically using a
for IPv4. The A record is what we usually think of when we discuss DNS.
These records map domain names to their associated IP addresses with a
PTR record used for the inverse operation of IP to host. But DNS is not
limited to these records types; there are a number of record types that
have been defined in various RFCs over the years to address the changing
needs of the system. The record type that W32.Morto uses for its
communication protocol is the TXT record.
The DNS TXT record type was originally used to allow human readable text to be stored with a DNS record and evolved
to store machine useable data. To experiment with this, you can use the
Microsoft nslookup.exe tool. By querying the TXT record type for
“Symantec.com” you can retrieve the information associated with the Domain.
While examining W32.Morto, we noticed that it would attempt to
request a DNS record for a number of URLs that were hard-coded into the
binary. This is by no means unusual or unique, but when we examined the
URLs, we noticed that there were no associated DNS A records returned
from our own DNS requests. On further investigation, we determined that
the malware was actually querying for a DNS TXT record only – not for a
domain to IP lookup – and the values that were returned were quite
unexpected.
The threat clearly expected this type of response as it proceeded
to validate and decrypt the returned TXT record. The decrypted record
yielded a customary binary signature and an IP address where the threat
could download a file (typically another malware) for execution.
[MALICIOUS ADDRESS]/160.rar
Once downloaded, W32.Morto immediately executes the threat and
waits for a specified timeout before requesting another TXT record.
What is interesting about this method of command propagation is
that there was no A record for these domains, which means that they
existed primarily to serve these commands to the W32.Morto worm. A
number of other domains have been hard-coded into the worm and they all
display the same unusual DNS characteristics.
W32.Morto has a number of interesting characteristics, including:
the RDP propagation that has been generating much interest of late;
saving encrypted payload code in the system registry; and replacing some
minor system DLLs with its own payload code. The worm’s use of DNS TXT
records is an unusual method of issuing commands to the remote threat
while keeping the C&C vector under the radar.