News

Morto worm, an old-school Internet worm, spreading via RDP

SearchSecurity.com Staff

Various Internet security firms report a new Internet worm is spreading in the wild and taking advantage of weak passwords on Windows systems, but it’s exploiting a rarely seen propagation method.

First reported Sunday, the Morto worm

    Requires Free Membership to View

or Win32/Morto appears to be an old-school Internet worm, a rarity in recent years when Trojans and bots make up the majority of new malcode samples.

According to multiple reports, Morto infects Windows workstations and servers, but spreads via the Windows Remote Desktop Protocol (RDP), an element of the Windows Remote Desktop Connection service that allows a Windows PC or server to be controlled remotely.

“Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled,” wrote F-Secure Corp. Chief Research Officer Mikko Hypponen in a blog post. “This creates a lot of traffic for port 3389/TCP, which is the RDP port.”

If it finds such a machine, according to Hypponen, the worm attempts a brute-force login as an administrator using a series of common passwords. Upon successful login, the worm copies itself to the new machine, terminates processes associated with local security applications and continues its propagation attempts. Hypponen also wrote that Morto can be controlled remotely via several servers, including jaifr.com and qfsl.net.

Microsoft confirmed the existence of the worm in a TechNet blog post Sunday, but it remains unclear which versions of Windows may be vulnerable and the extent to which it is spreading successfully.

Marc Maiffret, CTO of eEye Digital Security, wrote on his company’s blog that the Morto worm reminds him of “the old days of CodeRed, Slammer, Sasser, Blaster” and others. According to Maiffret, companies can avoid infection by disabling RDP access directly from the Internet, using strong passwords and making a registry key change so RDP uses non-standard network ports.

“One would think that in 2011 such a basic attack would not have much legs,” Maiffret wrote, “but it seems that antivirus companies and SANS are seeing an increase in RDP network traffic with the most likely culprit being that of Morto infecting systems via RDP Windows account brute-forcing.”

In its TechNet post, Microsoft also advised the use of strong passwords, which should include 14 characters or more, and have a variety of letters, punctuations, symbols and numbers.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: