Trend Micro experts have analyzed a piece of malware called PE_MUSTAN.A, a threat that's believed to be connected to the old WORM_MORTO.SM. The malicious element is interesting not just because of the way it spreads from one computer to the other, but also because of the mechanisms it uses to stay hidden.
Researchers have found
that MUSTAN spreads throughout networks via the Remote Desktop Protocol by brute forcing weak passwords.
“If certain user name and password combinations are in use, the malware will be able to gain access and start infecting files on the new system. This behavior is similar to WORM_MORTO,” Trend Micro Senior Threat Response Engineer Vincent Cabuag explained.
Once it infects a computer, the malware uses all the available drives, network shares and the Remote Desktop Protocol in order to spread.
It infects all .exe files, except for the ones located in folders such as “Common Files,” “Internet Explorer,” “Messenger,” “Microsoft,” “Movie Maker,” “Outlook,” “qq,” “RECYCLER,” “System Volume Information,” “windows” and “winnt.”
It’s believed that the .exe files from these folders would cause application crashes if they were infected, and thus reveal the malware’s presence. That’s why MUSTAN avoids compromising the files from these locations.
Another noteworthy aspect is the way it communicates with its command and control server via DNS. An attacker can not only command the malware to download additional files that can aid him in stealing important files, but he can also plant a backdoor which gives him complete access to the infected device.
According to experts, the threat is currently prevalent in the Asia-Pacific region. However, they emphasized the fact that the malware should not be able to spread at all if users and system administrators would set strong passwords for their devices.