According to Joji Hamada, Morto first made the security headlines last month because of its capability to spread by Windows Remote Desktop Protocol (RDP). The worm, he noted, was unique because it was the first of its kind to use the protocol.
“However, this wasn't the only unique aspect of the worm. My colleague, Cathal Mullaney, also discovered that W32.Morto introduced the usage of Domain Name System (DNS) records for communicating commands from the attacker to the worm”, he said in his latest security posting.
“We have been monitoring W32.Morto and the commands it has been receiving from the DNS queries since its discovery. However, the downloaded files have not performed any meaningful activities during the three week period”, he added.
Hamada goes on to say that the latest update contains the same traits of the original W32.Morto such as storing encrypted data in the registry and using an identical obfuscation technique, but no longer has the RDP propagation mechanism built-in.
Curiously, the Symantec expert notes that it does not perform DNS queries to receive commands, but it performs parses of the index pages of an online gaming site that lists the online status of server emulators of ZhuXian, a massive multi-layer online role playing game in China.
Once the initial parsing is complete, Hamada said that the worm requests the next page in the parse chain and searches for the Chinese text: “Please answer the following question”
If this text is found, he added that the worm attempts to search for a submission form on the page. This may, he asserted, be a technique to automatically circumvent Captchas and other anti-automation techniques.
So what’s the motive here?, he asks
“We still do not know. All of the server emulator sites listed in the index I confirmed included a page to buy points to be used for the game. Although W32.Morto has been a unique malware to analyse, the motivation behind the attack could be the same as any malware commonly found these days, that it is created for monetary gain”, he said.