11:51 pm (UTC-7) | by Vincent Cabuag (Senior Threat Response Engineer)
Seen in the wild last July 2012, PE_MUSTAN.A spreads around less secured networks and is known to target systems with weak passwords. Its roots can be traced from WORM_MORTO.SM that proliferated a year before. While this tactic of brute forcing its way around the network is not new anymore, PE_MUSTAN’s presence proves that supposed secured networks still have glaring weak spots.
Like all file infectors, this new breed can rapidly infect multiple files on a single machine. It tries to infect all .EXE files, with the exception of files in folders with the following names:
- Common Files
- Internet Explorer
- Movie Maker
- System Volume Information
Based on the list above, it appears that MUSTAN actively tries to avoid infecting files where any crash due to this would be noticeable – Microsoft applications and instant messaging clients are both “whitelisted” from infection.
PE_MUSTAN.A also attempts to spread via networks, specifically using the Remote Desktop Protocol to access other systems. If certain user name and password combinations are in use (the full list is in the Threat Encylcopedia entry), the malware will be able to gain access and start infecting files on the new system. This behavior is similar to WORM_MORTO.
Once it is on an infected system, it targets virtually all possible drives to spread such as the local drives, fixed and removable, network shares, and like WORM_MORTO, Remote Desktop Protocol (RDP) default share. The RDP share is not created by default. It is only when the user, through some extra configuration steps, specifies it wants to share its drives through RDP.
One interesting aspect of this malware is how it uses DNS to communicate to with its command-and-control (C&C) servers. It uses the DNS text record to acquire commands from its C&C servers, as seen below:
In this case it receives an encoded string containing links where it can download other malicious files to run. The attacker could easily use these files to steal important data from the affected system, or plant a backdoor to give complete access to the remote attacker.
We also noticed that the coding styles and techniques used by MORTO are similar to MUSTAN, which could possibly mean that both notorious file infectors are created by the same cybercriminals. Below are some code snippets from both malware showing the way they treat strings in their code:
Based on feedback from the Smart Proection Network, this malware is particularly prevalent in the Asia-Pacific region. However, it should not be spreading at all, if only we had learned our lessons. We know it’s hard for some users to remember what they chose for their password, but having a little creativity could go a long way in securing your machine. How about… T!mWcpW&!sS, short for This !s my Work computer passWord and !t is Safe. Got it? To know more on how to create secured passwords, you may read our FAQ entry Will Your Passwords Pass the Test?
Share this article