Forgot your password?
typodupeerror
Security Windows Worms IT

New Worm Morto Using RDP To Infect Windows PCs 200

Posted by timothy
from the my-heart-goes-out-to-you dept.
Trailrunner7 writes "A new worm called Morto has begun making the rounds on the Internet, infecting machines via Remote Desktop Protocol. The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows. Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003."
This discussion has been archived. No new comments can be posted.

New Worm Morto Using RDP To Infect Windows PCs

Comments Filter:
  • Re:Finally (Score:5, Informative)

    by jhoegl (638955) on Sunday August 28, 2011 @01:55PM (#37234984)
    Hmmmm, after reading the article, I do not see any actual exploit being used and it is required that the server or account that was seemingly brute forced (only possible way) is required to have some GPO allowances such as root C or D drive access, the execute permissions on that drive.
  • by Anonymous Coward on Sunday August 28, 2011 @01:55PM (#37234986)

    Read about Morto and says it spreads by trying common passwords such as the following:
    When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

      admin
      password
      server
      test
      user
      pass
      letmein
      1234qwer
      1q2w3e
      1qaz2wsx
      aaa
      abc123
      abcd1234
      admin123
      111
      123
      369
      1111
      12345
      111111
      123123
      123321
      123456
      654321
      666666
      888888
      1234567
      12345678
      123456789
      1234567890

  • Re:Finally (Score:4, Informative)

    by jhoegl (638955) on Sunday August 28, 2011 @02:00PM (#37235010)
    Yup, brute force... From a post in the linked thread

    And in my current knowledge, if you get infected, it means you have way too EASY PASSWORD.- Meitzi

  • by mkraft (200694) on Sunday August 28, 2011 @02:01PM (#37235016)

    From what I've read [f-secure.com], the worm isn't using an exploit. It's simply trying to log in using a set of common and easy to guess passwords. If you use strong passwords, then your machine won't be compromised. Though flood of RDP access requests could amount to a denial of service attach.

  • Re:Finally (Score:4, Informative)

    by jhoegl (638955) on Sunday August 28, 2011 @02:02PM (#37235030)
  • by FlavorDave (109495) on Sunday August 28, 2011 @02:07PM (#37235074) Homepage

    Since RDP is a necessary evil for administering remote windows PCs at least change the fracking port...

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

  • by Pop69 (700500) <billy@benart y . co.uk> on Sunday August 28, 2011 @02:19PM (#37235134) Homepage
    If IT and users are connecting to a bare open RDP port then someone fucked up along the way.

    Do it right, require a VPN connection before you allow an RDP connection.
  • by magamiako1 (1026318) on Sunday August 28, 2011 @02:43PM (#37235294)
    This has nothing to do with "hacking windows". This has everything to do with brute forcing passwords.

    This same thing can happen with SSH, FTP, and any other service that uses password authentication.

    In Linux, you install "fail2ban" to slow down brute force attempts.

    In Windows, you use secpol.msc > Account Policies > Account Lockout Policy to accomplish the same task.

    In all systems, you use more complex passwords or two-factor authentication to avoid this.

    PS: This is only affecting idiots.
  • by DarkOx (621550) on Sunday August 28, 2011 @02:58PM (#37235402) Journal

    I generally agree that moving well know services to alternate ports is a waste of time at best and a headache at worst, for most services.

    Port scanners should not be effective tools in a high security environment though. You should have and IDS that can detect a scan, even if its a coordinated scan from multiple hosts. That IDS should be able to shun those hosts. There is no reason why in 2011 you can't make it prohibitively difficult for the vast majority of would be attackers to run a port scan against your hosts. In which there may be value in moving hi-value targets like administrative interfaces to lesser know ports, generally legitimate people using those interfaces won't be terribly inconvenienced.

    Will the guy commanding a 10K machine botnet spread over thousands of networks still be able to scan you and find whatever, certainly yes. If your common threat model really includes that guy though you really operating in a different reality than most of us; for the rest snort, iptables and some shell scripts, or {pick commercial vendor solution} here goes a long way.

    In 1997 and unprotected host was not good enough anymore, you needed a firewall
    In 2000 you needed a stateful firewall
    In 2005 you needed a application layer firewall
    Its 2011 you need IDS / IPS
    The arms race continues....

  • by 0123456 (636235) on Sunday August 28, 2011 @03:39PM (#37235740)

    The whole point of a worm is that they have multiple machines.

    Not on my internal network.

    And if you have RDP open to the Internet you're so retarded there's no saving you.

  • Re:Finally (Score:5, Informative)

    by Anonymous Coward on Sunday August 28, 2011 @04:15PM (#37235982)

    This is not the complete list of what happens.

    I battled this since August 18th, and had identified all the command/control IPs and domains and submitted them to MS--and also identified the files for them and sent them in a zip.

    MS initially had us run a boot disk and multiple scanners and found nothing. I had even asked for some advice on how to properly mitigate network usage *from the server* as the 1000s of connection attempts were nailing the firewall (which was now blocking all outbound 3389 attempts as well) and the arp caches of the network switches--doing a packet sniff, I could see the network gear turned into hubs from switches because the MAC tables couldn't keep up.

    I also had a user get kicked off their machine by a service account that hadn't existed before the virus hit. That machine had 63 malware programs on it--not cookies, but exes and dlls.

    The infections are entirely not due to bad passwords. Once infected it goes out and uses that simple list. You know there are places that have these passwords. Simply having 3389 open is bad, as you can get randomly hit, with an exploit vector as well. Newly installed machines with passwords that were ludicrously complex were also getting infected. The virus also will check out your local network subnet and blast that and similar networks--if you are on 10.10.10.0, it will also blast 10.10.9.0 and 10.10.11.0, for example.

    Anyway there had to be three or four revisions of this patch before it was posted about here. It came out late Friday night, soon after we sent the files. MS only really started taking us seriously (it seemed) when other customers started reporting the same thing. The virus could be manually cleaned but it didn't fix the infection, so you could clean a machine and get it reinfected. The signatures should help prevent further issues, but expect a new critical update patching the actual problem in addition to this cleaning it.
     

"Of course power tools and alcohol don't mix. Everyone knows power tools aren't soluble in alcohol..." -- Crazy Nigel

Working...