Morto, the first-ever worm to spread via Windows Remote Desktop Protocol (RDP), is not only unique because of its propagation mechanism – it also uses a novel vector, domain name system (DNS) records, to communicate with infected machines, a Symantec researcher said Wednesday.
The DNS is a critical component of internet infrastructure that translates IP addresses into memorable domain names.
Specifically, Morto uses DNS TXT records for its communication protocol, Cathal Mullaney, security response engineer at Symantec, said in a blog post Wednesday. Such records were originally used to allow text to be stored with a DNS record. Nowadays, however, they more often are used to store machine-readable data. “The worm's use of DNS TXT records is an unusual method of issuing commands to the remote threat while keeping the C&C [command-and-control] vector under the radar,” Mullaney wrote.