Couple of days ago it was reported that a new worm was spreading in the wild. The worm is called Morto and it infects Windows workstations and servers. It uses a never seen before spreading vector – RDP.
For this analysis I have decided to use the famous memory forensics framework - “volatility”.
In order to analyze Morto with volatility framework you will have first to dump out the full RAM contents. I have used my preferred tool MoonSols win32dd.exe tool.
Once my sandbox was ready I have executed my Morto sample (MD5: 2EEF4D8B88161BAF2525ABFB6C1BAC2B), waited a few seconds till I saw some network activity and some file system modifications, fired up win32dd.exe and saved the memory file as “morto_mem.dmp”
We are ready, let’s fire up volatility and start the analysis:
Note: I have used the –P switch to obtain the physical offset.
Hmmm, looks like no malicious process / processes are running….
Let’s check for open connections:
Yep, port 3389 (RDP) and looks like PID 1064 is the trouble maker, let’s check the process name:
By it’s timestamp (2011-08-30) and it’s PPID (parent pid) we can understand that this process is a legitimate system process.
Let’s check all svchosts processes PPID:
Same timestamp and all have a parent pid of 676, which is services.exe:
If svchost.exe (PID 1064) is a legit process why are the malicious connections?
192.168.164.128:1055 -> 192.168.162.1:3389 (PID:1064)
192.168.164.128:1046 -> 188.8.131.52:80 (PID:1064)
Let’s see what file system modifications occurred during the infection (regshot output):
We can see that during the infection process Morto creates 4 new files on the infected system and also deletes itself.
Notice the Sens32.dll that was created; let’s check if it is loaded by a specific process:
Yep, “Sens32.dll” is loaded by our “malicious” svchost.exe process, let’s dump our malicious process:
It was reported that Morto finds a Remote Desktop server and then it attempts to login as Administrator using a list of hard-coded passwords. Let’s try to get this list:
And here is the list:
After removing duplicates users / passwords the list included 103 items:
It was also reported that Morto “copy itself to the target system by creating a temporary drive under letter A: and copying a file called a.dll”:
Till Next Sample