[nsp-sec] Morto worm C&C (RDP Scanner)
Nicholas Ianelli
ni at allyourinfoarebelongto.us
Wed Aug 31 09:26:19 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/31/2011 06:03 AM, Thomas Hungenberg wrote:
> ----------- nsp-security Confidential --------
>
> Carles Fragoso wrote:
>> BTW, any info about which kind of traffic profile uses Morto to communicate with C&C?
I believe DNS is the primary method for C2 communications.
Here are the write-ups I've seen:
http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html
http://www.f-secure.com/weblog/archives/00002227.html
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A
I think the Contagio URL may have what you're looking for under the
"Traffic" section.
Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5eNngACgkQi10dJIBjZIDHigCgjGsTQrbl4oFBT9LIsKCG6wx1
8skAoNoa725M/l36iI8EM6Cbidsr0EGW
=HkG0
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list