Monday, August 29, 2011

Aug 28 Morto / Tsclient - RDP worm with DDoS features

According to Microsoft, Morto is a worm that spreads by trying to compromise (lame) administrator passwords for Remote Desktop connections on a network. They also note it can perform Denial of Service attacks against attacker-specified targets. 
I can add that it runs what it looks like a quick DoS test against one Google IP. In addition, it creates a lot of traffic: RDP scans, downloads, receiving commands, and interesting DNS queries for command and control servers.
Judging by the domain owners of CC servers (China) and their location (Hong Kong), I would say it is likely it be cybercrimeware originating in erm,...Asia. I don't know how difficult it is for a foreigner to register domains with  Jiangsu Bangning Science & technology Co. China. One of the domains existed for a few years and changed several Chinese registrars and hosting companies. Like in Russia, DDoS attack crimes are very common in China (I don't have stats for other Asian countries but I am guessing common there too :)

I want to thank and for the sample.

Exploit information and analysis links

Windows Remote Desktop worm "Morto" spreading (F-Secure

Expert analysis has been done already and I won't repeat it. I ran the sample posted and it does what the links below describe

Excerpt from Microsoft:
The malware consists of several components, including an executable dropper component (the installer), and a DLL component which performs the payload.
When the dropper is executed, the DLL component is installed to the Windows directory as clb.dll. If updated by the malware, backups are created as clb.dll.bak.The executable component also writes encrypted code to the registry key HKLM\SYSTEM\WPA\md and exits.
The name clb.dll is chosen because it is the name of a real DLL (located in the System directory), which is used by regedit. To load this malware DLL, a regedit process is spawned by the malware. Once regedit is executed, it loads the malicious clb.dll preferentially over the real clb.dll due to the way in which Windows searches for files (i.e. the Windows directory is searched before the System directory). This dll has encrypted configuration information appended to it in order to download and execute new components.
The following additional files are also created:
  • %windows%\temp\ntshrui.dll
  • \sens32.dll
  • c:\windows\offline web pages\cache.txt
Some screenshots

contents of cache.txt in offline web pages folder
They may be replaced later on with malicious components which are downloaded to:
  • c:\windows\offline web pages\cache.txt

   General File Information

MD5: 2eef4d8b88161baf2525abfb6c1bac2b
File Type: EXE
Infection Vector: RDP


Automated Scans

Result:19 /44 (43.2%) 
AhnLab-V3     2011.08.28.00     2011.08.29     Win-Trojan/Npkon.49969
AntiVir     2011.08.29     TR/Agent.49969.1
Avast     4.8.1351.0     2011.08.29     Win32:Malware-gen
Avast5     5.0.677.0     2011.08.29     Win32:Malware-gen
AVG     2011.08.29     Agent3.ACOR
ByteHero     2011.08.22     Trojan.Win32.Heur.Gen
Comodo     9914     2011.08.29     TrojWare.Win32.Trojan.Agent.Gen
DrWeb     2011.08.29     BackDoor.Tsclient.1
Emsisoft     2011.08.29     Trojan.Agent3!IK
GData     22     2011.08.29     Win32:Malware-gen
Ikarus     T3.     2011.08.29     Trojan.Agent3
Jiangmin     13.0.900     2011.08.28     Backdoor/DsBot.dov
Microsoft     1.7604     2011.08.29     Worm:Win32/Morto.gen!A
NOD32     6418     2011.08.29     a variant of Win32/Agent.SYL
Panda     2011.08.28     Trj/MereDrop.B
Sophos     4.68.0     2011.08.29     Mal/Generic-L
TheHacker     2011.08.29     Trojan/Agent.syl
ViRobot     2011.8.29.4644     2011.08.29     Backdoor.Win32.DsBot.53076
VirusBuster     2011.08.28     Trojan.Agent!MYoVp4jcZjs

MD5   : 2eef4d8b88161baf2525abfb6c1bac2b

Created file
Submission date:2011-08-28 22:58:34 (UTC)
Result:16 /44 (36.4%)
AhnLab-V3     2011.08.27.01     2011.08.28     Win-Trojan/Agent21.Gen
AntiVir     2011.08.28     TR/Agent.6672.5
Avast     4.8.1351.0     2011.08.28     Win32:Malware-gen
Avast5     5.0.677.0     2011.08.28     Win32:Malware-gen
AVG     2011.08.29     Agent3.AENL
DrWeb     2011.08.29     BackDoor.Tsclient.1
Emsisoft     2011.08.28     Trojan.Agent3!IK
Fortinet     2011.08.28     W32/SvcLoad.AJE!tr
GData     22     2011.08.29     Win32:Malware-gen
Ikarus     T3.     2011.08.28     Trojan.Agent3
Microsoft     1.7604     2011.08.28     Worm:Win32/Morto.gen!A
NOD32     6418     2011.08.29     Win32/Agent.SYL
Panda     2011.08.28     Suspicious file
Sophos     4.68.0     2011.08.28     Troj/SvcLoad-A
TheHacker     2011.08.29     Trojan/Agent.syl
VIPRE     10300     2011.08.29     Trojan.Win32.Generic!BT
MD5   : eb19e7a8cd7dee563a2b7477a7b9037f


As you already noted, it is a worm capable of spreading through local area network. Please remember this when running it on a VM attached to any LAN. Take appropriate measures to prevent it from spreading.

From what I see, it performs DNS queries using servers that are not in the victim's TCP/IP configuration 

According to Microsoft (and the samples they analysed ), morto
Contacts remote host
Worm:Win32/Morto.A connects to the following hosts in order to download additional information and update its components:
Newly downloaded components are downloaded to a filename that uses the following format:
~MTMP ;4 digits 0-f ;.exe
Performs Denial of Service attacks
Morto may be ordered to perform Denial of Service attacks against attacker-specified targets.
I have a few additional similar domains

 The list of recorded domains and IPs (see additional/slightly different list in the Microsoft analysis)
  •  =     ASIA PACIFIC SERVER COMPANY, Hong Kong  -- orders to perform DDoS test
  •                          Hutchison Global Communications, Hong Kong  - Location from where 160.rar gets downloaded
  • =  - DoS test is on (Google won't "feel" it, it is not really "an attack on Google")
and etc. as listed on the screenshot below

DNS used (no changes made in TCP/IP settings)
  • victim's preferred  DNS 
  •             Internet Rimon LTD, Israel 
  •               easyDNS Technologies, Inc. Toronto
  •                 NeuStar, Inc., VA - USA
  •                           Google DNS
  •             SK Broadband Co Ltd, Korea
  •                           Level 3 Communications, Inc
  •                 So-net service, Japan
  •            Ministry of Education Network Operation Center, Thailand
  •                Qwest Communications Company, LLC
  •              DION (KDDI CORPORATION)
  •              Kyung Hee University
  •              North China Institute Of Technology
  •                  Dimension Data, South Africa
  • and perhaps others - see the screenshot


Host reachable, 284 ms. average -
Hutchison Global Communications
Hong Kong
9/F Low Block ,
Hutchison Telecom Tower,
99 Cheung Fai Rd, Tsing Yi,
phone: +852-21229555
fax: +852-21239523

Downloading 160.rar (MD5:  4E69179BB79DE93584E87C4763F6C664 ) = same file that Microsoft describes as
Newly downloaded components are downloaded to a filename that uses the following format:
~MTMP 4 digits 0-f.exe
In my case, these were created and deleted from C\WINDOWS\Temp
Size: 54496
MD5:  4E69179BB79DE93584E87C4763F6C664


However, they do not seem to have valid PE headers
[EDIT] See the comments after the post. The file is actually a DLL

Size: 54484
MD5:  EBB3A5964DA485C0B9E67164B047A7A5
  Machine                      014Ch       i386®
 Number of Sections           0004h       
 Time Date Stamp              4E536606h   23/08/2011  08:34:14
 Pointer to Symbol Table      00000000h   
 Number of Symbols            00000000h   
 Size of Optional Header      00E0h       
 Characteristics              210Eh       The file is executable (no unresolved external references)
                                          Line numbers are stripped from the file
                                          Local symbols are stripped from the file
                                          Computer supports 32-bit words
                                          The file is a dynamic link library (DLL)
 Magic                        010Bh       PE32
 Linker Version               0006h       6.0
 Size of Code                 00001000h   
 Size of Initialized Data     00000A00h   
 Size of Uninitialized Data   00000000h   
 Address of Entry Point       10001D6Ah   
 Base of Code                 00001000h   
 Base of Data                 00002000h   
 Image Base                   10000000h   
 Section Alignment            00001000h   
 File Alignment               00000200h   
 Operating System Version     00000004h   4.0
 Image Version                00000000h   0.0
 Subsystem Version            00000004h   4.0
 Win32 Version Value          00000000h   Reserved
 Size of Image                00005000h   20480 bytes
 Size of Headers              00000400h   
 Checksum                     00000000h   Real Image Checksum: 0001B115h
 Subsystem                    0002h       Win32 GUI
 Dll Characteristics          0000h       
 Size of Stack Reserve        00100000h   
 Size of Stack Commit         00001000h   
 Size of Heap Reserve         00100000h   
 Size of Heap Commit          00001000h   
 Loader Flags                 00000000h   Obsolete
 Number of Data Directories   00000010h

======================================= - or in another test

Traffic to Google (DoS test). The response is Error 400 - invalid request.
That...s an error. Your client has issued a malformed or illegal request.  That...s all we know.


Administrative Contact:
   +86.02586880037  fax: +86.02586880037
   10F West-Building, Yuhua Software Park, 310 Ningnan Road, Yuhua District
   Nanjing Jiangsu 210012
Registrar History
2008-06-14eNom GMP Services
2010-05-03Jiangsu Bangning Science & technology Co. Ltd.

IP Address History

Event DateActionPre-Action IPPost-Action IP
2005-02-12Not Resolvable213.161.76.87-none-
2006-06-24Not Resolvable61.152.93.70-none-
2008-03-30Not Resolvable210.95.31.4-none-
2008-05-04Not Resolvable124.42.34.171-none-
2009-07-27Not Resolvable69.64.147.212-none-
2011-08-10Not Resolvable0.0.0.0-none-
Registrant Contact:
   jian fan ren
   fan ren jian
   +86.01015215412  fax: +86.01012111111
   chang an lu 113 hao
   ma an san an hui 111111
Registrar History
2011-07-21Jiangsu Bangning Science & technology Co. Ltd. 

IP Address History

We have no record of any IP changes.  =     ASIA PACIFIC SERVER COMPANY, Hong Kong  -- orders to perform DoS test 
 ======================================= -
Hollywood Plaza, 610 Nathan Road
Hong Kong
ASIA PACIFIC SERVER COMPANY - network administrato
Hollywood Plaza, 610 Nathan Road, Mong Kong, KLN
phone: +85263419611 point to

Registrant Contact:
   +86.02586880037  fax: +86.02586880037
   10F West-Building, Yuhua Software Park, 310 Ningnan Road, Yuhua District
   Nanjing Jiangsu 210012

Created files
C:\WINDOWS\Offline Web Pages\1.40_TestDdos  - see this in the screenshot below - 6th line from the top
C:\WINDOWS\Offline Web Pages\1.60_0823
C:\WINDOWS\Offline Web Pages\2011-08-29 0234
C:\WINDOWS\Offline Web Pages\cache.txt TCP  traffic from


  1. i haven't looked, but it might be as simple as skipping the first 12 bytes or so. MZ should be the first two bytes in a PE header, but there's some offset there.

    -Alex L

  2. Thanks, Alex I will try again. I tried but maybe it was too many or too few that i tried to skip.

  3. Mila,

    If you strip out the first 12 bytes of the 160.rar file, it becomes a valid PE file and in fact it is a DLL - one of the component that the worm downloads.


  4. thank you all, indeed you get this file

    I somehow botched it first time. Ability to count past 10 i guess is crucial :)