MUSTAN Malware Avoids Infecting Certain Files to Hide Its Presence

Status
Not open for further replies.

McLovin

Level 78
Thread author
Verified
Honorary Member
Malware Hunter
Apr 17, 2011
9,228
Trend Micro experts have analyzed a piece of malware called PE_MUSTAN.A, a threat that's believed to be connected to the old WORM_MORTO.SM. The malicious element is interesting not just because of the way it spreads from one computer to the other, but also because of the mechanisms it uses to stay hidden.

MUSTAN-Malware-Avoids-Infecting-Certain-Files-to-Hide-Its-Presence-2.jpg


Researchers have found that MUSTAN spreads throughout networks via the Remote Desktop Protocol by brute forcing weak passwords.

“If certain user name and password combinations are in use, the malware will be able to gain access and start infecting files on the new system. This behavior is similar to WORM_MORTO,” Trend Micro Senior Threat Response Engineer Vincent Cabuag explained.

Once it infects a computer, the malware uses all the available drives, network shares and the Remote Desktop Protocol in order to spread.

It infects all .exe files, except for the ones located in folders such as “Common Files,” “Internet Explorer,” “Messenger,” “Microsoft,” “Movie Maker,” “Outlook,” “qq,” “RECYCLER,” “System Volume Information,” “windows” and “winnt.”

It’s believed that the .exe files from these folders would cause application crashes if they were infected, and thus reveal the malware’s presence. That’s why MUSTAN avoids compromising the files from these locations.

Another noteworthy aspect is the way it communicates with its command and control server via DNS. An attacker can not only command the malware to download additional files that can aid him in stealing important files, but he can also plant a backdoor which gives him complete access to the infected device.

According to experts, the threat is currently prevalent in the Asia-Pacific region. However, they emphasized the fact that the malware should not be able to spread at all if users and system administrators would set strong passwords for their devices.

Source
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top