There has been a lot of coverage of the recent RDP capable W32.Morto worm, but one of the more interesting aspects of the worm’s behavior appears to have been overlooked. Most malware that we have seen recently has some means of communication with a remote Command and Control (C&C) server. The actual vector of communication tends to vary between threats. For example, W32.IRCBot uses Internet Relay Chat channels whereas the recent high profile threat, Trojan.Downbot, is capable of reading commands embedded in HTML pages and image files. W32.Morto has added another C&C communication vector by supplying remote commands through Domain Name System (DNS) records.
DNS is primarily used to translate human readable URLs, such as “Symantec.com”, into numerical network identifiers (18.104.22.168). Every URL on the Internet is eventually resolved to an associated IP address using this system, typically using a DNS A record for IPv4. The A record is what we usually think of when we discuss DNS. These records map domain names to their associated IP addresses with a PTR record used for the inverse operation of IP to host. But DNS is not limited to these records types; there are a number of record types that have been defined in various RFCs over the years to address the changing needs of the system. The record type that W32.Morto uses for its communication protocol is the TXT record.
The DNS TXT record type was originally used to allow human readable text to be stored with a DNS record and later evolved to store machine useable data. To experiment with this, you can use the Microsoft nslookup.exe tool. By querying the TXT record type for “Symantec.com” you can retrieve the SPF information associated with the Domain.
While examining W32.Morto, we noticed that it would attempt to request a DNS record for a number of URLs that were hard-coded into the binary. This is by no means unusual or unique, but when we examined the URLs, we noticed that there were no associated DNS A records returned from our own DNS requests. On further investigation, we determined that the malware was actually querying for a DNS TXT record only – not for a domain to IP lookup – and the values that were returned were quite unexpected.
The threat clearly expected this type of response as it proceeded to validate and decrypt the returned TXT record. The decrypted record yielded a customary binary signature and an IP address where the threat could download a file (typically another malware) for execution.
Once downloaded, W32.Morto immediately executes the threat and waits for a specified timeout before requesting another TXT record.
What is interesting about this method of command propagation is that there was no A record for these domains, which means that they existed primarily to serve these commands to the W32.Morto worm. A number of other domains have been hard-coded into the worm and they all display the same unusual DNS characteristics.
W32.Morto has a number of interesting characteristics, including: the RDP propagation that has been generating much interest of late; saving encrypted payload code in the system registry; and replacing some minor system DLLs with its own payload code. The worm’s use of DNS TXT records is an unusual method of issuing commands to the remote threat while keeping the C&C vector under the radar.