Clicky

Pages

Monday, August 29, 2011

Aug 28 Morto / Tsclient - RDP worm with DDoS features

 
According to Microsoft, Morto is a worm that spreads by trying to compromise (lame) administrator passwords for Remote Desktop connections on a network. They also note it can perform Denial of Service attacks against attacker-specified targets. 
I can add that it runs what it looks like a quick DoS test against one Google IP. In addition, it creates a lot of traffic: RDP scans, downloads, receiving commands, and interesting DNS queries for command and control servers.
Judging by the domain owners of CC servers (China) and their location (Hong Kong), I would say it is likely it be cybercrimeware originating in erm,...Asia. I don't know how difficult it is for a foreigner to register domains with  Jiangsu Bangning Science & technology Co. Ltd.in China. One of the domains existed for a few years and changed several Chinese registrars and hosting companies. Like in Russia, DDoS attack crimes are very common in China (I don't have stats for other Asian countries but I am guessing common there too :)

I want to thank jsunpack.jeek.org and malc0de.com for the sample.




Exploit information and analysis links

Windows Remote Desktop worm "Morto" spreading (F-Secure

Expert analysis has been done already and I won't repeat it. I ran the sample posted and it does what the links below describe

Excerpt from Microsoft:
The malware consists of several components, including an executable dropper component (the installer), and a DLL component which performs the payload.
When the dropper is executed, the DLL component is installed to the Windows directory as clb.dll. If updated by the malware, backups are created as clb.dll.bak.The executable component also writes encrypted code to the registry key HKLM\SYSTEM\WPA\md and exits.
The name clb.dll is chosen because it is the name of a real DLL (located in the System directory), which is used by regedit. To load this malware DLL, a regedit process is spawned by the malware. Once regedit is executed, it loads the malicious clb.dll preferentially over the real clb.dll due to the way in which Windows searches for files (i.e. the Windows directory is searched before the System directory). This dll has encrypted configuration information appended to it in order to download and execute new components.
The following additional files are also created:
  • %windows%\temp\ntshrui.dll
  • \sens32.dll
  • c:\windows\offline web pages\cache.txt
  
Some screenshots

contents of cache.txt in offline web pages folder
They may be replaced later on with malicious components which are downloaded to:
  • c:\windows\offline web pages\cache.txt

   General File Information

MD5: 2eef4d8b88161baf2525abfb6c1bac2b
File Type: EXE
Infection Vector: RDP

Download




Automated Scans

2eef4d8b88161baf2525abfb6c1bac2b.exe
Result:19 /44 (43.2%)
  http://www.virustotal.com/file-scan/report.html?id=3d84a7395b23bc363a52a2028cea6cedb8ea4011ebc63865581c35aaa0da5da8-1314609731 
AhnLab-V3     2011.08.28.00     2011.08.29     Win-Trojan/Npkon.49969
AntiVir     7.11.14.3     2011.08.29     TR/Agent.49969.1
Avast     4.8.1351.0     2011.08.29     Win32:Malware-gen
Avast5     5.0.677.0     2011.08.29     Win32:Malware-gen
AVG     10.0.0.1190     2011.08.29     Agent3.ACOR
ByteHero     1.0.0.1     2011.08.22     Trojan.Win32.Heur.Gen
Comodo     9914     2011.08.29     TrojWare.Win32.Trojan.Agent.Gen
DrWeb     5.0.2.03300     2011.08.29     BackDoor.Tsclient.1
Emsisoft     5.1.0.10     2011.08.29     Trojan.Agent3!IK
GData     22     2011.08.29     Win32:Malware-gen
Ikarus     T3.1.1.107.0     2011.08.29     Trojan.Agent3
Jiangmin     13.0.900     2011.08.28     Backdoor/DsBot.dov
Microsoft     1.7604     2011.08.29     Worm:Win32/Morto.gen!A
NOD32     6418     2011.08.29     a variant of Win32/Agent.SYL
Panda     10.0.3.5     2011.08.28     Trj/MereDrop.B
Sophos     4.68.0     2011.08.29     Mal/Generic-L
TheHacker     6.7.0.1.286     2011.08.29     Trojan/Agent.syl
ViRobot     2011.8.29.4644     2011.08.29     Backdoor.Win32.DsBot.53076
VirusBuster     14.0.189.0     2011.08.28     Trojan.Agent!MYoVp4jcZjs

MD5   : 2eef4d8b88161baf2525abfb6c1bac2b

Created file
clb.dll
Submission date:2011-08-28 22:58:34 (UTC)
Result:16 /44 (36.4%)
http://www.virustotal.com/file-scan/report.html?id=c74b91699e916596884b3833d21825039cf1d200a244fc429341d7723ab1a5f6-1314572314
AhnLab-V3     2011.08.27.01     2011.08.28     Win-Trojan/Agent21.Gen
AntiVir     7.11.14.2     2011.08.28     TR/Agent.6672.5
Avast     4.8.1351.0     2011.08.28     Win32:Malware-gen
Avast5     5.0.677.0     2011.08.28     Win32:Malware-gen
AVG     10.0.0.1190     2011.08.29     Agent3.AENL
DrWeb     5.0.2.03300     2011.08.29     BackDoor.Tsclient.1
Emsisoft     5.1.0.10     2011.08.28     Trojan.Agent3!IK
Fortinet     4.2.257.0     2011.08.28     W32/SvcLoad.AJE!tr
GData     22     2011.08.29     Win32:Malware-gen
Ikarus     T3.1.1.107.0     2011.08.28     Trojan.Agent3
Microsoft     1.7604     2011.08.28     Worm:Win32/Morto.gen!A
NOD32     6418     2011.08.29     Win32/Agent.SYL
Panda     10.0.3.5     2011.08.28     Suspicious file
Sophos     4.68.0     2011.08.28     Troj/SvcLoad-A
TheHacker     6.7.0.1.286     2011.08.29     Trojan/Agent.syl
VIPRE     10300     2011.08.29     Trojan.Win32.Generic!BT
MD5   : eb19e7a8cd7dee563a2b7477a7b9037f

Traffic

As you already noted, it is a worm capable of spreading through local area network. Please remember this when running it on a VM attached to any LAN. Take appropriate measures to prevent it from spreading.

From what I see, it performs DNS queries using servers that are not in the victim's TCP/IP configuration 



According to Microsoft (and the samples they analysed ), morto
Contacts remote host
Worm:Win32/Morto.A connects to the following hosts in order to download additional information and update its components:
210.3.38.82
74.125.71.104
jifr.info
jifr.co.cc
jifr.co.be
qfsl.net
qfsl.co.cc
qfsl.co.be
Newly downloaded components are downloaded to a filename that uses the following format:
~MTMP ;4 digits 0-f ;.exe
Performs Denial of Service attacks
Morto may be ordered to perform Denial of Service attacks against attacker-specified targets.
I have a few additional similar domains

 The list of recorded domains and IPs (see additional/slightly different list in the Microsoft analysis)
  • 111.68.13.250  = qfsl.net     ASIA PACIFIC SERVER COMPANY, Hong Kong  -- orders to perform DDoS test
  • 210.3.38.82                          Hutchison Global Communications, Hong Kong  - Location from where 160.rar gets downloaded
  • hx-in-f104.1e100.net =  Google.com 74.125.71.104/74.125.115.106  - DoS test is on Google.com (Google won't "feel" it, it is not really "an attack on Google")
Domains
  • fb1.jifr.net 
  • fb2.jifr.net          
  • db1.jifr.net
  • db2.jifr.net
  • dostest1.qfsl.net
and etc. as listed on the screenshot below

DNS used (no changes made in TCP/IP settings)
  • victim's preferred  DNS 
  • 212.76.127.133             Internet Rimon LTD, Israel 
  • 64.68.200.200               easyDNS Technologies, Inc. Toronto
  • 156.154.71.1                 NeuStar, Inc., VA - USA
  • 8.8.8.8                           Google DNS
  • 209.166.160.36            CONTINENTAL BROADBAND PENNSYLVANIA, INC.
  • 210.220.163.82             SK Broadband Co Ltd, Korea
  • 4.2.2.2                           Level 3 Communications, Inc
  • 202.238.96.2                 So-net service, Japan
  • 203.172.246.41            Ministry of Education Network Operation Center, Thailand
  • 205.171.3.65                Qwest Communications Company, LLC
  • 210.196.3.183              DION (KDDI CORPORATION)
  • 163.180.96.54              Kyung Hee University
  • 202.207.184.3              North China Institute Of Technology
  • 168.210.2.2                  Dimension Data, South Africa
  • and perhaps others - see the screenshot

 =======================================

Host reachable, 284 ms. average
210.3.0.0 - 210.3.127.255
Hutchison Global Communications
Hong Kong
ITMM HGC
hgcnetwork@hgc.com.hk
9/F Low Block ,
Hutchison Telecom Tower,
99 Cheung Fai Rd, Tsing Yi,
HONG KONG
phone: +852-21229555
fax: +852-21239523

Downloading 160.rar (MD5:  4E69179BB79DE93584E87C4763F6C664 ) = same file that Microsoft describes as
Newly downloaded components are downloaded to a filename that uses the following format:
~MTMP 4 digits 0-f.exe
In my case, these were created and deleted from C\WINDOWS\Temp
Size: 54496
MD5:  4E69179BB79DE93584E87C4763F6C664

~MTMP3C32.exe
~MTMP4F62.exe
~MTMP6006.exe
~MTMP9B40.exe
~MTMPA327.exe

However, they do not seem to have valid PE headers

http://www.virustotal.com/file-scan/report.html?id=f9a12ac987d7737024df78471169d56c1225f31254d3914af8e16a3bbf32daaf-1314580097
[EDIT] See the comments after the post. The file is actually a DLL

Size: 54484
MD5:  EBB3A5964DA485C0B9E67164B047A7A5
 
  Machine                      014Ch       i386®
 Number of Sections           0004h       
 Time Date Stamp              4E536606h   23/08/2011  08:34:14
 Pointer to Symbol Table      00000000h   
 Number of Symbols            00000000h   
 Size of Optional Header      00E0h       
 Characteristics              210Eh       The file is executable (no unresolved external references)
                                          Line numbers are stripped from the file
                                          Local symbols are stripped from the file
                                          Computer supports 32-bit words
                                          The file is a dynamic link library (DLL)
 Magic                        010Bh       PE32
 Linker Version               0006h       6.0
 Size of Code                 00001000h   
 Size of Initialized Data     00000A00h   
 Size of Uninitialized Data   00000000h   
 Address of Entry Point       10001D6Ah   
 Base of Code                 00001000h   
 Base of Data                 00002000h   
 Image Base                   10000000h   
 Section Alignment            00001000h   
 File Alignment               00000200h   
 Operating System Version     00000004h   4.0
 Image Version                00000000h   0.0
 Subsystem Version            00000004h   4.0
 Win32 Version Value          00000000h   Reserved
 Size of Image                00005000h   20480 bytes
 Size of Headers              00000400h   
 Checksum                     00000000h   Real Image Checksum: 0001B115h
 Subsystem                    0002h       Win32 GUI
 Dll Characteristics          0000h       
 Size of Stack Reserve        00100000h   
 Size of Stack Commit         00001000h   
 Size of Heap Reserve         00100000h   
 Size of Heap Commit          00001000h   
 Loader Flags                 00000000h   Obsolete
 Number of Data Directories   00000010h   


http://www.virustotal.com/file-scan/report.html?id=2aa8bd7268bac0681da9b5d2019ae678b9ed28f643995ac7a68d8ad4cac780b8-1314701651


=======================================

hx-in-f104.1e100.net - Google.com 74.125.71.104 or vx-in-f106.1e100.net 74.125.115.106 in another test




Traffic to Google (DoS test). The response is Error 400 - invalid request.
That...s an error. Your client has issued a malformed or illegal request.  That...s all we know.



 

=======================================
qfsl.net
Administrative Contact:
   DOMAIN WHOIS PROTECTION SERVICE
   WHOIS AGENT domian@whoisprotectionservices.net
   +86.02586880037  fax: +86.02586880037
   10F West-Building, Yuhua Software Park, 310 Ningnan Road, Yuhua District
   Nanjing Jiangsu 210012
   CN 
Registrar History
DateRegistrar
2003-01-28INWW.com
2005-11-23DirectNic.com
2006-03-22Bizcn.com
2008-06-14eNom GMP Services
2010-05-03Jiangsu Bangning Science & technology Co. Ltd.
 

IP Address History

Event DateActionPre-Action IPPost-Action IP
2005-02-12Not Resolvable213.161.76.87-none-
2006-03-24New-none- 61.152.93.70
2006-06-24Not Resolvable61.152.93.70-none-
2006-10-21New-none- 61.152.93.70
2007-02-24Change61.152.93.70210.95.31.4
2008-03-30Not Resolvable210.95.31.4-none-
2008-03-31New-none- 209.62.72.197
2008-04-13Change209.62.72.197124.42.34.171
2008-05-04Not Resolvable124.42.34.171-none-
2008-06-13New-none- 69.64.155.79
2008-06-15Change69.64.155.7969.64.155.136
2008-06-22Change69.64.155.13669.64.155.132
2008-11-16Change69.64.155.13269.64.147.18
2009-03-09Change69.64.147.1869.64.147.212
2009-03-30Change69.64.147.21269.64.147.213
2009-04-06Change69.64.147.21369.64.147.212
2009-04-20Change69.64.147.21269.64.147.213
2009-04-27Change69.64.147.21369.64.147.212
2009-07-27Not Resolvable69.64.147.212-none-
2010-05-04New-none- 210.51.7.236
2010-05-23Change210.51.7.23659.188.19.76
2010-10-15Change59.188.19.7658.14.38.169
2010-11-17Change58.14.38.169113.128.1.80
2011-04-10New-none- 113.128.1.80
2011-05-03Change113.128.1.80113.128.223.131
2011-07-03Change113.128.223.1310.0.0.0
2011-08-10Not Resolvable0.0.0.0-none-
 jifr.net
Registrant Contact:
   jian fan ren
   fan ren jian j@163.com
   +86.01015215412  fax: +86.01012111111
   chang an lu 113 hao
   ma an san an hui 111111
   CN 
Registrar History
DateRegistrar
2011-07-21Jiangsu Bangning Science & technology Co. Ltd. 

IP Address History

We have no record of any IP changes.
111.68.13.250  = qfsl.net     ASIA PACIFIC SERVER COMPANY, Hong Kong  -- orders to perform DoS test 
 =======================================
111.68.13.250
111.68.0.0 - 111.68.15.255
Hollywood Plaza, 610 Nathan Road
Hong Kong
ASIA PACIFIC SERVER COMPANY - network administrato
Hollywood Plaza, 610 Nathan Road, Mong Kong, KLN
phone: +85263419611
network@apacserver.com

 Qfsl.net point to 111.68.13.250.

Registrant Contact:
   DOMAIN WHOIS PROTECTION SERVICE
   WHOIS AGENT domian@whoisprotectionservices.net
   +86.02586880037  fax: +86.02586880037
   10F West-Building, Yuhua Software Park, 310 Ningnan Road, Yuhua District
   Nanjing Jiangsu 210012
   CN


Created files
C:\WINDOWS\Offline Web Pages\1.40_TestDdos  - see this in the screenshot below - 6th line from the top
C:\WINDOWS\Offline Web Pages\1.60_0823
C:\WINDOWS\Offline Web Pages\2011-08-29 0234
C:\WINDOWS\Offline Web Pages\cache.txt TCP  traffic from 111.68.13.250.



5 comments:

  1. i haven't looked, but it might be as simple as skipping the first 12 bytes or so. MZ should be the first two bytes in a PE header, but there's some offset there.

    -Alex L

    ReplyDelete
  2. Thanks, Alex I will try again. I tried but maybe it was too many or too few that i tried to skip.

    ReplyDelete
  3. Mila,

    If you strip out the first 12 bytes of the 160.rar file, it becomes a valid PE file and in fact it is a DLL - one of the component that the worm downloads.

    ~DaH4ckeR

    ReplyDelete
  4. thank you all, indeed you get this file
    http://www.virustotal.com/file-scan/report.html?id=2aa8bd7268bac0681da9b5d2019ae678b9ed28f643995ac7a68d8ad4cac780b8-1314701651

    I somehow botched it first time. Ability to count past 10 i guess is crucial :)

    ReplyDelete