W32.Morto first made headlines in August because of its capability to spread by Windows Remote Desktop Protocol (RDP). The worm was unique because it was the first of its kind to use the protocol. However, this wasn't the only unique aspect of the worm. My colleague, Cathal Mullaney, also discovered that W32.Morto introduced the usage of Domain Name System (DNS) records for communicating commands from the attacker to the worm. We have been monitoring W32.Morto and the commands it has been receiving from the DNS queries since its discovery; however, the downloaded files have not performed any meaningful activities during the three week period.
But now we are finally seeing a change in the updates. This latest update contains the same traits of the original W32.Morto such as storing encrypted data in the registry and using an identical obfuscation technique. However, it no longer has the RDP propagation mechanism built-in. It also does not perform DNS queries to receive commands. The most interesting activity that W32.Morto now performs is that it parsers through index pages of an online game site that lists the online status of server emulators of the popular Chinese MMORPG game, ZhuXian. A sample page is shown below. Server emulators are servers run by third parties to provide an arena different from the one provided by the original developer of the game. Once the initial parsing is complete, the worm requests the next page in the parse chain and searches for the Chinese text:
“Please answer the following question”
If this text is found, the worm attempts to search for a submission form on the page. This may be a technique to automatically circumvent Captchas and other anti-automation techniques.
So what’s the motive here? We still do not know. All of the server emulator sites listed in the index I confirmed included a page to buy points to be used for the game. Although W32.Morto has been a unique malware to analyze, motivation behind the attack could be the same as any malware commonly found these days; that is created for monetary gains. We are continuing our investigation to uncover the ultimate goal of the attack and will certainly follow up with more details as we find them.