In July 2012, our virus laboratory came across what we first thought was a new family of malware. The threat spread by infecting Portable Executable or PE files used by Windows, but this malware also infected systems through remote desktop and network shares. After further analysis, we realized we were dealing with a new version
In July 2012, our virus laboratory came across what we first thought was a new family of malware. The threat spread by infecting Portable Executable or PE files used by Windows, but this malware also infected systems through remote desktop and network shares. After further analysis, we realized we were dealing with a new version of a known malware family: Win32/Morto. The author of this malware – which had already infected thousands of hosts – had updated his creation to add file infection capabilities.
Win32/Morto is best known for being a computer worm, that is, a fully-self-contained rogue program that spreads copies of itself. Adding file-infecting code allows the worm to function as a computer virus as well by attaching copies of itself to other programs which can then be used to further spread the infection. This type of evolution is out of the ordinary and it prompted us to dig further in order to understand this malware better. We are presenting the results of our analysis this week at the AVAR conference in HangZhou, China. This blog contains a summary of the key findings presented at the conference.
Our analysis shows that adding file infection capabilities to this malware had a significant impact on the speed at which it spread. The next figure shows the number of detections of this threat over time. We clearly see a sharp increase in detections around July; this is when the malware was updated to start infecting PE files.
Other characteristics of this malware have remained constant across variants. For example, Win32/Morto has been using the DNS infrastructure to receive commands from its operator. The bot will make a DNS TXT request and will decode the received text so as to update its modules. The figure below shows one such DNS TXT response with the encoded string, which contains the update information. The information is encoded using an algorithm close to base64, but with a different alphabet.
The information received by the bot is simply a list of modules to be downloaded, decrypted and executed. During the last four months, we have seen three different modules being used by the bot. One of the modules is an update to the viral code used for maintaining persistence and infecting files, one module is used to spread by exploiting weak passwords in Remote Desktop and the last module is used to launch distributed denial of service attacks and to display advertisements on the infected system.
There are several clues in the malware code that suggest it was written by a native Chinese speaker. For example, the User-Agent string used by the malware advertises the Chinese language. The geographical distribution of this threat also hints as to its origin.
The following figure shows the geographical distribution of Win32/Morto detections. The dark blue color indicates a high proportion of detections while light yellow shows a small proportion of detections. The map shows a significant number of detections through Asia, including Mongolia, Tajikistan, Uzbekistan and China. This might also indicate where the infection started and continued to spread.
The two main infection vectors of Win32/Morto are through file infection and the exploitation of weak Remote Desktop credentials. We recommend that users use strong passwords and use an up-to-date antivirus solution to help them stay protected from this threat.
Acknowledgment: I would like to acknowledge François Chagnon and Miroslav Babis for their help in analyzing Win32/Morto.