Morto: Remote Desktop Connection Worm In the Wild, Spreading Actively


« Android Malware, Adobe Exploits, Spam Volume & More in the McAfee Quarterly Threat Report | Main | TDSS Botnet Has a Firefox Add-On?! »

08/29/2011



Morto: Remote Desktop Connection Worm In the Wild, Spreading Actively

Kevin R. Smith
Co-Editor


The fine folks at Finnish antivirus software maker F-Secure have spotted a new worm in the wild.

For us antivirus folks, worms are among the most feared because of their ability to infect, spread, and replicate on their own.

This one is being dubbed "Morto," and what's so unique about it is it's the first one to use the Microsoft Remote Desktop Connection.



The only surprising thing to me is that it's taken so long for a worm of this type to surface. Remote Desktop gives you direct access to your desktop remotely, so if someone manages to break into your system via the Remote Desktop Service, it gives them direct access to your computer--as if they were working right on your desktop, albeit remotely.

This particular worm isn't exploiting any bugs in Windows or in Remote Desktop; rather, it's exploiting weak passwords, long the bane of good system administrators.

Further, it's attempting to gain access to the default "Administrator" login, giving it maximum permissions on the system. Thus, once it's in, the computer is fully compromised.

Our own networks are seeing this threat attempting to connect to our servers at a rate of about 10 attempts per second, so clearly, this is a threat to take seriously if you have machines that rely on TCP port 3389, the Remote Desktop port.

As for the passwords being attempted, F-Secure's post on the Morto Remote Desktop worm lists these as the passwords being used to attempt the break-ins:
  • admin
  • password
  • server
  • test
  • user
  • pass
  • letmein
  • 1234qwer
  • 1q2w3e
  • 1qaz2wsx
  • aaa
  • abc123
  • abcd1234
  • admin123
  • 111
  • 123
  • 369
  • 1111
  • 12345
  • 111111
  • 123123
  • 123321
  • 123456
  • 654321
  • 666666
  • 888888
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
As you might imagine, there's already Morto worm discussions on the Microsoft Technet forums, so if you think you're at risk, you might want to head over and take a peek at the discussions.

Here's our recommendations to keep this worm at bay:
  1. Change your password. Here's a how-to on choosing a good password.
  2. Rename your "Administrator" account. Since the worm is using "Administrator," alternatives will help keep it at bay.
  3. Block access to TCP port 3389, if possible, or limit access only to IP addresses you trust.
  4. Make sure your antivirus software/Internet security software is up-to-date.
F-Secure is detecting the Morto components as:
  • Backdoor:W32/Morto.A
  • Backdoor:W32/Morto.B

Posted by Kevin R. Smith at 01:29:07 PM in F-Secure , Microsoft , Worm

Comments

You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.