|14 Sep 2011||#1|
| || |
Morto: Not your average creepy-crawly worm
As malware goes, Morto has something new to offer. It’s conversant in DNS-speak.
Why a digital worm? They’re so yesterday, barely worth the effort when compared to trojans and rootkits, the current malware du jour. True, except for one new and improved wiggler.
While reverse-engineering Morto, a team from Symantec discovered something. Morto can communicate. It phones home using the Domain Naming System (DNS). Darn. Yet another hole punched in the beleaguered DNS protocol. Here’s how Symantec figured out what Morto was doing:
“While examining W32.Morto, we noticed that it would attempt to request a DNS record for a number of URLs that were hard-coded into the binary. This is by no means unusual or unique, but when we examined the URLs, we noticed that there were no associated DNS A records returned from our own DNS requests.
On further investigation, we determined that the malware was actually querying for a DNS TXT record only — not for a domain to IP lookup — and the values that were returned were quite unexpected.”
Here are the results (courtesy of Symantec):
Symantec explains what the Morto-infected computer does with this information:
“The threat clearly expected this type of response as it proceeded to validate and decrypt the returned TXT record. The decrypted record yielded a customary binary signature and an IP address where the threat could download a file (typically another malware) for execution.”
The downloaded file is the payload I described earlier. And it’s up to the Morto developers as to what additional malcode will be downloaded and installed.
On a grand scale, Morto does not have the wow-factor of malware like Zeus. Still, it feels like a significant step — a leap, maybe — in the evolution of malware. Communicating via DNS TXT records is subtle, yet effective — exactly what the bad guys want.
Morto: Not your average creepy-crawly worm | TechRepublic
|My System Specs|
|Similar help and support threads for2: Morto: Not your average creepy-crawly worm|
|Creepy BIOS Problem with Missing ram settings!||Hardware & Devices|
|Alienware Windows 7 Very Creepy Problem||General Discussion|
|Creaky Floors And Creepy Neighbors||Chillout Room|
|Google's Policy: Get to the Creepy Line||News|
|On average how long||Chillout Room|
|Not your average sleep problem||General Discussion|
|Creepy Media Encoder Error||Software|
|Our Sites ||Site Links ||About Us ||Find Us |
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.
© Designer Media Ltd
All times are GMT -5. The time now is 11:40 PM.