Morto: Remote Desktop Connection Worm In the Wild, Spreading Actively

The fine folks at Finnish antivirus software maker F-Secure have spotted a new worm in the wild.

For us antivirus folks, worms are among the most feared because of their ability to infect, spread, and replicate on their own.

This one is being dubbed "Morto," and what's so unique about it is it's the first one to use the Microsoft Remote Desktop Connection.

The only surprising thing to me is that it's taken so long for a worm of this type to surface. Remote Desktop gives you direct access to your desktop remotely, so if someone manages to break into your system via the Remote Desktop Service, it gives them direct access to your computer--as if they were working right on your desktop, albeit remotely.

This particular worm isn't exploiting any bugs in Windows or in Remote Desktop; rather, it's exploiting weak passwords, long the bane of good system administrators.

Further, it's attempting to gain access to the default "Administrator" login, giving it maximum permissions on the system. Thus, once it's in, the computer is fully compromised.

Our own networks are seeing this threat attempting to connect to our servers at a rate of about 10 attempts per second, so clearly, this is a threat to take seriously if you have machines that rely on TCP port 3389, the Remote Desktop port.

As for the passwords being attempted, F-Secure's post on the Morto Remote Desktop worm lists these as the passwords being used to attempt the break-ins:
  • admin
  • password
  • server
  • test
  • user
  • pass
  • letmein
  • 1234qwer
  • 1q2w3e
  • 1qaz2wsx
  • aaa
  • abc123
  • abcd1234
  • admin123
  • 111
  • 123
  • 369
  • 1111
  • 12345
  • 111111
  • 123123
  • 123321
  • 123456
  • 654321
  • 666666
  • 888888
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
As you might imagine, there's already Morto worm discussions on the Microsoft Technet forums, so if you think you're at risk, you might want to head over and take a peek at the discussions.

Here's our recommendations to keep this worm at bay:
  1. Change your password. Here's a how-to on choosing a good password.
  2. Rename your "Administrator" account. Since the worm is using "Administrator," alternatives will help keep it at bay.
  3. Block access to TCP port 3389, if possible, or limit access only to IP addresses you trust.
  4. Make sure your antivirus software/Internet security software is up-to-date.
F-Secure is detecting the Morto components as:
  • Backdoor:W32/Morto.A
  • Backdoor:W32/Morto.B


Android Malware, Adobe Exploits, Spam Volume & More in the McAfee Quarterly Threat Report

In their most recent McAfee Threats Report, antivirus & security software vendor McAfee covers a lot of ground in the malware arena.

Here are the highlights:
  1. Android is now the most highly targeted platform for mobile / smartphone malware.
  2. More successful legal actions are being taken against cybercriminals
  3. 22% increase in malware samples over 2010
  4. On pace for 75 million malware samples by the end of 2011
  5. Fake antivirus software continuing to grow
  6. 38% increase in rootkits (stealth malware) over 2010
  7. Adobe outpaced Microsoft for security exploits in their software (Acrobat, Acrobat Reader, etc.)
  8. After a brief up-tick, spam is again declining
  9. Over 7,000 new malicious websites per day
  10. Over 2,700 new phishing websites per day
What are the take aways from it?

  1. Smartphone viruses are here, they're real, and they're growing.
  2. It isn't just a matter of keeping your OS updated. You've got to update all the software on your system regularly. Adobe Acrobat/Reader is proving that.
  3. Antivirus software is a must.


Charge Your Cell Phone, Get Malware?


Most of us have been in an airport or other similar public place and seen the free charging kiosks.

And, I'll venture to bet that most of us have used 'em, too.

Looks like the bad guys aren't running out of ideas on ways to get at you and your data, and now it looks like the free ride at the charging kiosk is over since the bad guys can start moving in there, too.

That's what Brian Markus (president of Aires Security) and his colleagues (researchers Joseph Mlodzianowski and Robert Rowley) showed when they built a charging kiosk at the 2011 DefCon hackers convention in Las Vegas.

As crazy as it sounds, charging your smart phone at a free charging kiosk can leave it exposed to data theft or even malware installation.

Brian Krebs always fantastic security blog, Krebs on Security, has a piece called Beware of Juice Jacking that goes into detail about how even some phones with settings to disable USB transfer don't do so reliably enough to be trusted.

'One attendee claimed his phone had USB transfer off and he would be fine. When he plugged in, it instantly went into USB transfer mode,' Markus recalls. 'He then sheepishly said, `Guess that setting doesn’t work.`'

Given that we haven't had any opportunities to test smart phone antivirus software against these types of threats, we can't say if the current batch of antivirus software for phones would be enough to prevent these types of attacks. Given what we've seen from VIPRE Mobile (the version of VIPRE Antivirus for Android Mobile phones), we expect it would.

Regardless, it's clearly safest to avoid these kiosks for charging your phone, and as the piece says,

If you must use a random charging kiosk, the safest option may be to completely power off the device before plugging it in.

'One thing we discovered: On certain devices, if you power them completely off, then charge them, they don’t expose the data,' Markus said.


Firefox 6 Released. Does it Matter?

With Mozilla Firefox now releasing its third full release in its new "rapid release" schedule, there definitely reason to upgrade for most people.

The most noticeable improvement is in the address bar, which now puts emphasis on the domain name to help thwart phishing attacks.

As you can (hopefully) see the emphasis, while subtle, is definitely there.

I've found as I got used to using it, the emphasis was easier to spot.

Personally, I love the feature; I just wish it were even more prominent.

Opera, in their version 11 took a different approach, removing everything but the domain name itself from the address bar. Thus:




While that approach is probably good to some extent, particularly for new users, it's also frustrating because it requires you to click on the address bar to reveal the full website address.

Luckily, you can easily revert to displaying the full website address in Opera through by typing opera:config into the Opera address bar.

Whatever the case, that web browsers are trying through a host of technological means to make it harder for the malware writers to take over peoples' PCs is a good thing.

Bottom line: yes, it's worth upgrading.

Regardless of what antivirus software you're running, keeping your web browser updated is a smart thing to do. After all, most virus and malware attacks do come in via the web, so why not give yourself every technological advantage?


Best Web Browser for Blocking Malicious Content?


Fans of Internet Explorer, rejoice!

Well, sort of.

NSS Labs, one of the top independent security research labs in the world, just put each of the top web browsers for Microsoft Windows PCs on their test bench to see how they fared against socially engineered malware.

Long lambasted for being insecure and weak in its ability to thwart malware, Internet Explorer actually landed at the front of the pack in this particular test which included:

Their report, "Web Browser Security, Socially Engineered Malware Protection," looked specifically at social engineering malware (SEM) attacks, which

...remains the most common security threat facing Internet users today.

"Recent studies show that users are four times more likely to be tricked into downloading malware than be compromised by an exploit.

How much better did IE fare? At the risk of editorializing, it was an absolute landslide. (Politicians dream of this kind of lopsided victory.)

Effectiveness of Top Web Browsers at Blocking Social Engineering Malware Attacks
Web Browser Malware Blocking Efficacy
Microsoft Internet Explorer 9 99.2%*
Google Chrome 12 13.2%
Apple Safari 5 7.6%
Mozilla Firefox 4 7.6%
Opera 11 6.1%
* With both URL and Application Reputation enabled during testing, which provided 96% and 3.2% of protection respectively.

Now for the one caveat: this only measured the efficacy of blocking social engineering malware and didn't test any of the browsers abilities (or likelihood) of being attacked through a security exploit.

What does that mean?

For starters, it means stopping viruses and other malware isn't as easy as running one web browser vs. another.

While Internet Explorer 9 might do very well at blocking social engineering malware, other browsers have historically done significantly better at stopping attacks that come through security exploits.

So, what's the best, most secure web browser?

There's no simple answer. I'd really encourage you to take a close look at the NSS Web Browser Security Report.

Another thing not covered is the effectiveness of antivirus software at blocking these types of threats.

In our tests, we consistently saw the software we tested with the best malicious website filtering giving added protection above and beyond what the web browsers themselves provided.


Huge Security Update Batch from Microsoft

If you haven't already gotten notice from your PC that there are updates waiting to be installed, you're now on notice.

This batch of patches covers a lot of ground: Windows, Internet Explorer, and even Microsoft Office (which you'll likely need to take care of separately).

With so many patches, you can count on one thing: the bad guys are watching these updates, too, to see what things they can exploit on un-patched PCs.

According to a great summary at ComputerWorld on the Microsoft Security Updates,
Microsoft today issued 13 security updates that patched 22 vulnerabilities in Internet Explorer, Windows, Office and other software, including one that harked back two decades to something dubbed 'Ping of Death.'
Here's how the 13 updates break down:
  1. Critical: 2
  2. Important: 9
  3. Moderate: 2
Curiously, there's some debate about what updates are most important among security researchers,
Other security experts from Symantec [makers of Norton Antivirus and Kaspersky Lab also highlighted the IE update as the one users should deploy first.
Given this many updates, and this many high-priority updates, there's no question, this batch of updates is worth taking the time, including reboot, needed to get them all applied.

As far as I'm concerned, no one should be wondering, "Gosh, which ones should I apply?" or, "Which ones should I apply first?"

Simple. Do them all. Immediately.

The one in particular that caught a lot of people's attention was the "Ping of Death" patch, which sounds to a lot of people like the old "Ping of Death" that could be done to PCs years ago.

This begs the question: are there already exploits for this bug?

Equally important though is why is this only labeled as, "Important" and not "Critical?"

Regardless, it really is "Critical" in my opinion because of the ramifications of having an unpatched system.

Exploiting this bug requires very little technical knowledge, and it can allow an attacker to easily prevent your computer from having any Internet access, effectively shutting your PC down.

In Ye Olden Days, a similar attack would even cause the computer to reboot, and continue to reboot, 'til the attacker stopped their attack or you disconnected your PC from the Internet. Ouch.

Bugs like this are one of the main reasons why looking at an Internet Security Suite with built in firewall software is so important. In most cases a PC protected by a software firewall would be immune to this and similar attacks.

Regardless of whether or not you have an ISS with a software firewall, there are still a lot of other things these updates take care of, so get it done!

Here's where you can get the patches:


Do Macs Need Antivirus Software? More Answers to this Persistent Question

A few days ago we trained our blog's spotlight covered the Stuxnet Worm and the incredible piece of reporting done at Wired to bring this story the attention it deserves.

Since the Wired article, there has been just tons of coverage about how the worm came to be, about the threats to equipment like the Siemens controllers in the article, and what the real threats are from these types of attacks.

One of the best ones was in an ITWorld piece this week, "Does the Mac have an edge against state-sponsored hacking?"

This isn't just about state-sponsored hacking but about the question generally of: Does a Mac Need Antivirus Software?

This question is posed indirectly in the outsanding research document Macs in the Age of the APT [Advanced Persistent Threat] done by iSEC Partners.

There's a second question-within-the-question though: Does the Apple computer need antivirus software?

Let's start with a quote from the ITWorld article,
When hackers broke into Google's computer network nearly two years ago, their first step was to take over Microsoft Windows machines running in the company's China offices. Would Google have been better off had those workers been running the Mac?

"Not necessarily, according to researchers at iSec Partners, a security consultancy that is part of NCC Group.

"Speaking at the Black Hat conference in Las Vegas Wednesday, iSec founder Alex Stamos and his team of researchers took a look at the typical stages of the type of intrusion that hit Google -- called an advanced persistent threat (APT) attack -- and compared how the Mac would do versus Windows 7.
...and as you might expect this is where things get interesting.

It's commonplace in the Mac community to believe--even recklessly--that Apple OSX is immune to viruses and other malware.

Malarky. If it has a CPU, it can get a virus. Full stop.

Right now there are still fewer--far fewer--threats for the Mac. No question.

Some pundits claim this is because there are fewer Macs than PCs; others will claim this is because the Mac is so much more secure, it's all but impervious to attacks technologically.

While that may--and I want to emphasize may--be true, that doesn't mean the Mac really is impervious technologically. It's not. It's just that the bad guys haven't publicly put the attention onto the Mac that they have onto Windows.

Further, the Mac is no more immune at all than a Windows 7 PC against a social engineering attack where the user is tricked into installing malicious software.

Again quoting the ITWorld piece on the iSEC research,
Their conclusion: Macs provide good protection against the initial phases of the attack, but once the bad guys are on the network, it's a whole different story.

"'They're pretty good for [protecting from] remote exploitation,' Stamos said. '[But] once you install OS X server you're toast.'

"The problem is that many of Apple's server protocols -- mDNS, Apple Remote Desktop, the Mac Kerberos authentication, for example -- use weak authentication models that give the attackers ways of getting access to parts of the network that should be blocked.

"'Every password-based authentication mechanism in OS X has problems,'
[Editor's Note: Emphasis mine.] Stamos said.
Interestingly, Stamos echoes the same key point we like to make about security: Security isn't just about protecting against technological attacks. It's also about protecting against social engineering attacks, too.
'Most people get malware because they intentionally install it,' he said. 'At an institution of thousands of employees, you have to assume that one of them going to get tricked.'
And, it isn't even so much a question of getting tricked. It's also a question of accidental installations, too.

Who hasn't been typing away when suddenly you get some popup message from your OS or your web browser as you're typing in something else and you accidentally hit [space] or [enter] to the popup message as you're going?

"Oh crap. Did I just hit [OK] to something? What was that message?"

It happens.

And this, regardless of threats from government- or crime syndicate-funded viruses and crackers, is why the Mac--just like its PC brethren--does need antivirus software.

The ITWorld piece goes on to say how the attacks are much more commonplace than you might think. And there's research to back this up.
McAfee released a report saying that it had uncovered evidence of a sophisticated hacking operation that had broken into systems at more than 70 companies over the past five years.

"I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion," wrote Dmitri Alperovitch, McAfee's vice president of threat research in a blog post.
Here's the thing, too. A lot of these companies are very sophisticated companies. Just take Google for example.

Most anyone would be hard pressed to come up with a more technologically adept company. Yet, they got hit with an APT attack.

The point being, if a highly sophisticated company can get hit, doesn't it stand to reason that you can, too? Even if you do run OS X?

As the iSEC researchers said so well in their pdf,
Bottom Line: Run your Macs as little islands on a hostile network.
Huh. I think that's great advice for PC users, too.


Windows XP: Still a Force to be Reckoned With

At the end of July 2011, Microsoft can say that Windows XP finally fell below the 50 percent mark. In other words, Redmond's decade-old operating system is now used by less than half of all Internet users.
So says a TechSpot bit about the current OS marketshare.

Our own site stats are a little different but show XP remains a force to be reckoned with. Here's what things look like for us compared to this time last year:

Operating System July 2010 July 2011 Percent Change
Windows XP 46% 33% (30%)
Windows 7 32% 54% 69%
Windows Vista 21% 12% (41%)
Windows Server 2003 0.5% 0.4% (10%)
Windows 2000 0.25% 0.1% (60%)

As you can see with our own website stats, Windows 7 is, thankfully, the only Windows version increasing its marketshare compared to what we were seeing last year.

In contrast, all the others, especially Windows XP and old-as-dirt Windows 2000 are on the decline.

The much maligned Windows Vista is also on the decline, where we're seeing a 40% year-over-year drop in the percentage of users visiting our site who're running Vista.

Given as many complaints as Vista generated, it's understandable why folks are holding on to XP.

There's certainly--amongst a lot of consumers--a cloud of unease still looming over the Windows versions after XP. To a lot of consumers, if Vista was no good, what's so special about Windows 7?

And for that matter, what's so wrong with Windows XP that you've absolutely got to upgrade?

Let's be honest: Windows XP works. It's a good OS, and with Microsoft now promising to support it 'til 2014, it's going to take a lot to pry it from a lot of folks hands, despite it having lesser baked-in, underhood security than Windows 7.

Which is actually the only real reason to upgrade, frankly: Windows 7 has far better security within it than XP does. How's that?

Windows XP was definitely an improvement over Windows 98 and Windows 2000, for sure. Since then though with Vista and 7, Microsoft engineers spent a lot of time working on a truckload of new technologies to help the OS be a lot more resilient to attacks, web-based and otherwise.

Without getting into all the geek-speak, suffice it to say: it's safer. Even the way antivirus software communicates with Windows 7 has changed over the way it communicated with Windows 7. It's that different.

That said, we're realists, and from our perspective, Windows XP visitors still represent about one in three people to our site. A lot of things are keeping people on Windows XP, not the least of which is uncertainty about what upgrading to Windows 7 means.

For a lot of people, spending $20 or $30 for the best antivirus software, which they'd need with Windows 7 anyway, and getting another year or two out of their old PC makes a lot more financial sense than a large outlay of cash on a new PC or an OS upgrade.

Certainly, we ourselves are happy to help everyone running XP find the right antivirus software for their needs--it's still a LOT of people, and antivirus software companies are still definitely supporting XP.

In fact, we still do some of our antivirus software testing on Windows XP. Sure, our tests always center around Microsoft's latest OS, but we still test with XP also.

And from a security standpoint, I believe antivirus software companies will still be supporting Windows XP as long as Microsoft does.

Practically speaking, if Windows XP works, Microsoft is still supporting it, and you can still get antivirus and Internet security software for it, the only thing that will cause most people to upgrade is when they have a hardware failure or other reason to get a new PC.

In the mean time, remember to keep your OS and applications patched regardless of what version of Windows you're running.


YAAV (Yet Another Android Virus)

If anyone is under the impression that phones (or Macs for that matter) are immune from viruses, worms, trojans, and other malware, let's get one thing straight: you're wrong.

CA Security Researcher Dinesh Venkatesan spotted a new Android Trojan and gives the lowdown on how it works.

In this particular case, according to a NetworkWorld.com summary of this same Android Trojan it,
...records the actual phone conversations in AMR format and stores the recordings on the device's SD card.

"The malware also 'drops a `configuration` file that contains key information about the remote server and the parameters....
OK, so it records the phone call. Big deal.

Oh, really.

There are a couple of outcomes to this, not the least of which is your phone's storage getting mysteriously chewed up.

Among other things, we have to look at these early cell phone malware and think of them as a new, budding, nascent industry, just like malware was in the '90s.

The bad guys are just starting to explore how to get into phones and what to do when they're there.

Recording calls is, if nothing else, research for them.

Just what do people talk about on their phones? And what can they learn listening to even a few dozen calls?

Is it possible to get usage patterns so stealing more valuable data could be possible?

What about stealing people's credit card numbers (oops, that has already shown up in Android malware) or breaking into their brokerage accounts, (oops, that has, too.)

The point being, it's a nacent industry, and if there's one thing the malware writers have shown it's creativity.

Once they really begin to understand what's there, they'll figure out a way to make money from it. Big money.

And, as for the built-in safeguards from Android like those shown here in this screencap from the CA Dinesh Venkatesan blog, yes, they're there, but there are a couple of important points about these warnings.

Screenshot of Android Trojan: [Credit Dinesh Venkatesan, CA Security]

Just because they're there doesn't mean:
  1. They're being heeded.
  2. They're not accidentally authorized.
  3. They're not going to be complete circumvented tomorrow.
The bottom line: android malware is here, it's real, it's no good, and it's only going to get worse.

And, yes, we're keeping a close eye on things. You can count on us to have some reviews soon.

We've seen some early previews of the new VIPRE Mobile, it looks great, and we'll be putting it--and other Android antivirus software--through the paces shortly.

In the mean time, if you're interested you can get your paws on the beta of VIPRE Android Antivirus now.