Various Internet security firms report a new Internet worm is spreading in the wild and taking advantage of weak passwords on Windows systems, but it’s exploiting a rarely seen propagation method.
First reported Sunday, the Morto worm or Win32/Morto appears to be an old-school Internet worm, a rarity in recent years when Trojans and bots make up the majority of new malcode samples.
According to multiple reports, Morto infects Windows workstations and servers, but spreads via the Windows Remote Desktop Protocol (RDP), an element of the Windows Remote Desktop Connection service that allows a Windows PC or server to be controlled remotely.
“Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled,” wrote F-Secure Corp. Chief Research Officer Mikko Hypponen in a blog post. “This creates a lot of traffic for port 3389/TCP, which is the RDP port.”
If it finds such a machine, according to Hypponen, the worm attempts a brute-force login as an administrator using a series of common passwords. Upon successful login, the worm copies itself to the new machine, terminates processes associated with local security applications and continues its propagation attempts. Hypponen also wrote that Morto can be controlled remotely via several servers, including jaifr.com and qfsl.net.
Microsoft confirmed the existence of the worm in a TechNet blog post Sunday, but it remains unclear which versions of Windows may be vulnerable and the extent to which it is spreading successfully.
Marc Maiffret, CTO of eEye Digital Security, wrote on his company’s blog that the Morto worm reminds him of “the old days of CodeRed, Slammer, Sasser, Blaster” and others. According to Maiffret, companies can avoid infection by disabling RDP access directly from the Internet, using strong passwords and making a registry key change so RDP uses non-standard network ports.
“One would think that in 2011 such a basic attack would not have much legs,” Maiffret wrote, “but it seems that antivirus companies and SANS are seeing an increase in RDP network traffic with the most likely culprit being that of Morto infecting systems via RDP Windows account brute-forcing.”
In its TechNet post, Microsoft also advised the use of strong passwords, which should include 14 characters or more, and have a variety of letters, punctuations, symbols and numbers.