One recommendation to prevent being attacked by the recent Morto worm was to edit the system registry so that common...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
services (like Windows Remote Desktop Protocol) use non-standard ports. What are the ramifications of this approach? Should it be a security best practice?
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The Morto worm leveraged a number of well-known vulnerabilities in Microsoft operating systems, and specifically the Remote Desktop Protocol (RDP), to spread malicious code from host-to-host over the Internet and the local network. Some security experts recommended that administrators change default RDP port from 3389 to a site-specific obscure value.
While this approach stopped Morto in its tracks, I don’t recommend it as a standard antimalware tactic. It’s the epitome of the "security through obscurity" approach that attempts to provide network security by hiding well-known services in plain sight. The problem with this approach is that malware can very easily adapt to it. Imagine how the Morto authors could adapt to this approach; they’d simply need to add a port scanner with protocol fingerprinting capabilities to the malicious code. The effect on the community of using a security through obscurity approach has direct parallels to the overuse of antibiotics in medicine. If we all take this approach, the malware will simply get stronger, rendering our defenses useless.
Instead, you should prepare for Morto just as you would any other malware threat. Here are three simple recommendations:
- Block RDP at the border. You should not allow direct administrative access (such as that provided by RDP) to systems from sites on the Internet. While it’s certainly acceptable to use RDP, you should require that users first connect to your enterprise virtual private network (VPN) before attempting an RDP connection. This simple tactic will block any Internet-borne infiltration of Morto from reaching your network.
- Use and update antivirus software on your network. Morto is a known entity. Antivirus software is perfectly capable of detecting it, so there is no excuse for having systems infected by this malware. Be sure all hosts on your network have antivirus software installed and configured for automatic updates.
- Require strong passwords. Morto relies upon user accounts with weak passwords to spread. Requiring strong passwords through Group Policy will block Morto attacks that manage to make it past your perimeter defenses.
Defending your network against malware is not rocket science. These simple, time-proven steps will protect you against Morto and whatever RDP-borne threat arrives next.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Mike Chapple
The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get ...continue reading
A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best ...continue reading
Tokenization technology can be confusing. Expert Mike Chapple explains what the difference is between two types of tokens and how tokenization can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.