Forgot your password?
typodupeerror
Security Windows Worms IT

New Worm Morto Using RDP To Infect Windows PCs 200

Posted by timothy
from the my-heart-goes-out-to-you dept.
Trailrunner7 writes "A new worm called Morto has begun making the rounds on the Internet, infecting machines via Remote Desktop Protocol. The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows. Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003."
This discussion has been archived. No new comments can be posted.

New Worm Morto Using RDP To Infect Windows PCs

Comments Filter:
  • by jhoegl (638955) on Sunday August 28, 2011 @01:51PM (#37234952)
    A lot of IT uses RDP to access servers remotely. Terminal Services is also used heavily by companies.

    So I was wondering when someone would find and then use an exploit against them. It was only a matter of time :(.

    The good news is the damage may be minimal as it seems to only effect 2k3 R2 servers, at least that is what is reported. It may be all of 2k3 or all 2k3/2k8.
    • Re:Finally (Score:5, Informative)

      by jhoegl (638955) on Sunday August 28, 2011 @01:55PM (#37234984)
      Hmmmm, after reading the article, I do not see any actual exploit being used and it is required that the server or account that was seemingly brute forced (only possible way) is required to have some GPO allowances such as root C or D drive access, the execute permissions on that drive.
      • Re:Finally (Score:4, Informative)

        by jhoegl (638955) on Sunday August 28, 2011 @02:00PM (#37235010)
        Yup, brute force... From a post in the linked thread

        And in my current knowledge, if you get infected, it means you have way too EASY PASSWORD.- Meitzi

        • Re:Finally (Score:4, Informative)

          by jhoegl (638955) on Sunday August 28, 2011 @02:02PM (#37235030)
          • Re:Finally (Score:5, Interesting)

            by jhoegl (638955) on Sunday August 28, 2011 @02:04PM (#37235052)
            Finally finally... LOL

            If you get hacked, you deserve it.

            Compromising Remote Desktop connections on a network: Port 3389 (RDP)
            Worm:Win32/Morto.A cycles through IP addresses on the affected computer's subnet and attempts to connect to located systems as administrator using passwords from the following list:

            *1234
            0
            111
            123
            369
            1111
            12345
            111111
            123123
            123321
            123456
            168168
            520520
            654321
            666666
            888888
            1234567
            12345678
            123456789
            1234567890
            !@#$%^
            %u%
            %u%12
            1234qwer
            1q2w3e
            1qaz2wsx
            aaa
            abc123
            abcd1234
            admin
            admin123
            letmein
            pass
            password
            server
            test
            user

            • by jayhawk88 (160512)

              Lol, I love it.

              666666
              888888

              No....not 777777. They'll be expecting that.

              Come on, it's Two Thousand Fucking Eleven. We still have people setting local admin passwords to "admin" and 123?

              • by KiloByte (825081)

                We still have people setting local admin passwords to "admin" and 123?

                There's more of them than those with reasonable passwords. I'm not counting those with medium strength [xkcd.com] in either group.

                Seriously, "common sense" is not so common nowadays. And from what I see, the quality of passwords is actually going down.

              • If we haven't wiped ourselves out by the year 10,000, there will still be people using passwords like that. Even the equivalent to today's "security experts" will be caught now and then with idiotic passwords.

                We claim to be intelligent, but sometimes the evidence makes that lie.

              • by Lumpy (12016)

                It's just a silent commentary as to the quality of MCSE's thrown into a server administration role.

                Most guys that are worth their salt demand silly salaries like $60,000-$90,000US a year instead of the new ITT grad that will accept $35,000 a year.

                Again, you get what you pay for. and companies pay for 666666 as a server password.

                • by Kalriath (849904)

                  Flamebait much? (And I have mod points, just preferred not to use 'em).

                  Someone having an MS qualification does not make them a bad sysadmin. There are equally shitty Unix sysadmins out there. A stupid sysadmin is a stupid sysadmin no matter who issued their certificate.

                  • Flamebait much? (And I have mod points, just preferred not to use 'em).

                    Someone having an MS qualification does not make them a bad sysadmin.

                    He didn't say that having an MS cert makes someone a bad sysadmin. Touchy, aren't we? :-)

                    • by Kalriath (849904)

                      "It's just a silent commentary as to the quality of MCSE's thrown into a server administration role".

                      No, actually, he did say that having an MS cert makes someone a bad sysadmin.

                    • "It's just a silent commentary as to the quality of MCSE's thrown into a server administration role".

                      No, actually, he did say that having an MS cert makes someone a bad sysadmin.

                      Not all, just the ones thrown into it - presumably the ones eased gently into it with the aid of a mentor and possibly supported by organisational processes aren't the bad admins. I grokked the final 6 words as a qualifier - sort of the same thing as saying "It's a silent commentary as to the quality of slashdot participants responding without RTFA".

                      But, meh - Tah-mah-toe, tah-may-toe I guess :-)

              • by hairyfeet (841228)

                I'm shocked they don't have the two moron passwords I saw plenty in the wild, which are ASD123asd and p@ssw0rd. You'd be surprised how many times I saw total dumbshit passwords like that. I'd try to tell the admins but finally gave up because every time I saw truly dumbshit passwords like that it was because the admin was a BOFH and had set some insane password requirements without thinking of the users.

                But the fact that yes its 2011 and those passwords work show a trend I've been saying for awhile now, tha

              • by EdIII (1114411)

                Lol, I love it.

                666666
                888888

                No....not 777777. They'll be expecting that.

                Come on, it's Two Thousand Fucking Eleven. We still have people setting local admin passwords to "admin" and 123?

                Dude... I am crying right now with how hard I am laughing. I might pee myself.

                I swear, I absolutely swear that I had a user so.... "inept" and "unsmart" that the only password the user could remember was 7777777. I'm not kidding. He was management and had problems remembering people's names. We tried giving him different passwords, especially on other systems, and it spawned endless IT calls for help with his password. I mean simple passwords, like grouped names.

                Nope. Could not handle it. Other thi

            • by Inda (580031)
              Seems a strangely short list.

              No "god"? No "love"?

              Why not 100 or 1000 common passwords?
              • by X0563511 (793323)

                Seems to be working, which is both depressing and scary.

              • by rtb61 (674572)

                Logic has it that you could use more than one configuration of worm. In fact you could use thousands all with different combinations of passwords. You take the assumption that a very lazy tech company will grab one worm, do an analysis and stop there, leaving many many potential other victims out there thinking they are safe.

                Still such a short list seems pointless unless of course relying on a particular tech companies laziness and willingness to blame users for everything, to mass market a false sense o

                • by adolf (21054)

                  We had a few accounts compromised on public-facing *nix host, once.

                  The reason? The person doing admin had set up a whole bunch of accounts with "phone" as a password. To say that I was surprised at this level of incompetence is a bit of an understatement.

                  His defense? "Well, that's what the boss told me to do."

                  Me: "Did you bother trying explain to him just how bad of an idea that was?"

                  Him: "No."

                  The mess was easy for me to clean up. And since then, the passwords are much harder. And after the dude res

            • by Dunbal (464142) *
              omg and I thought my password was weak, it's ********
            • by fostware (551290)

              Depends on how many sysadmins double-check the *local* administrator account - not just the domain admin's.

              Once won a customer while doing the presentation, just by demonstrating the there's a local account too. Just happened to hit enter on their TS and lo-and-behold straight in. SBS and Domain controllers don't allow the option of a local admin, but member servers are sometimes easy game.

          • Re:Finally (Score:5, Informative)

            by Anonymous Coward on Sunday August 28, 2011 @04:15PM (#37235982)

            This is not the complete list of what happens.

            I battled this since August 18th, and had identified all the command/control IPs and domains and submitted them to MS--and also identified the files for them and sent them in a zip.

            MS initially had us run a boot disk and multiple scanners and found nothing. I had even asked for some advice on how to properly mitigate network usage *from the server* as the 1000s of connection attempts were nailing the firewall (which was now blocking all outbound 3389 attempts as well) and the arp caches of the network switches--doing a packet sniff, I could see the network gear turned into hubs from switches because the MAC tables couldn't keep up.

            I also had a user get kicked off their machine by a service account that hadn't existed before the virus hit. That machine had 63 malware programs on it--not cookies, but exes and dlls.

            The infections are entirely not due to bad passwords. Once infected it goes out and uses that simple list. You know there are places that have these passwords. Simply having 3389 open is bad, as you can get randomly hit, with an exploit vector as well. Newly installed machines with passwords that were ludicrously complex were also getting infected. The virus also will check out your local network subnet and blast that and similar networks--if you are on 10.10.10.0, it will also blast 10.10.9.0 and 10.10.11.0, for example.

            Anyway there had to be three or four revisions of this patch before it was posted about here. It came out late Friday night, soon after we sent the files. MS only really started taking us seriously (it seemed) when other customers started reporting the same thing. The virus could be manually cleaned but it didn't fix the infection, so you could clean a machine and get it reinfected. The signatures should help prevent further issues, but expect a new critical update patching the actual problem in addition to this cleaning it.
             

            • I'm just bloody glad I shut down all external access to RDP. For a few years I was opening up RDP for some users who worked from home, but after seeing someone trying hundreds of times to get in to RDP via an Eastern European IP address I finally closed it down and require anyone wanting to use RDP to do it via our VPN.

              • by Lumpy (12016)

                You should also already have DROP rules for all IP addresses coming from outside countries you dont have workers in already.

                We dont have any asian, eastern or russian workers so I block all those countrues in the firewall. it reduces risk and traffic significantly.

                I also have the firewall add a 24 hour drop rule for any IP address that attempts a connection and gets a rejection more than 5 times to a port in 20 minutes.

                Passwords are your second line of defense, your firewall is your first.

            • Simply having 3389 open isn't inheritly bad. It's when you allow retarded admins who allow access to that port through the internet and use ridiculously simple passwords on accounts that are given remote login rights AND are exempt from the bad password lockouts.

            • Being infected doesnt mean that it happened because of an opened port 3389. I have never heard of an exploit that can run arbitrary code simply due to an open RDP listener. I would imagine such a thing to be possible on VNC far before RDP, given the attention to security that RDP has gotten over the last 10 years.

        • How many Windows boxes do not have way too easy a password?

      • actually once you have rdp access privilege escalation is pretty trivial as you can access the command line regardless of local and group policies by exploiting a flaw in how command line switches are handled.
        • Having access to the commandline =/= privilege esclaation.

          Care to explain how you can go from "domain user" or "Remote user" to "domain administrator", with commandline access, on server 2003 or server 2008? Im sure a LOT of people would be interested to hear this.

          • once you have access to the command line you can then use it to transfer exploitable code to the windows temporary folder. This puts an attack vector in place. Disconnect, then reconnect with the command to execute your payload - this command is executed before policies are enforced. tah-dah.
    • by louarnkoz (805588)
      Microsoft's analysis is published at: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A [microsoft.com]

      The list of password that the worm tries is interesting. Apart from the obvious abc123 and the like, the worm tries "RavMonD" and "zhudongfangyu". Is that a clue? Some Chinese hommage to the bazar?

      • by bwintx (813768)
        TFA article lists "RavMonD" and "zhudongfangyu" as processes the worm tries to stop, not as passwords it attempts.

        Terminates processes
        Morto.A terminates processes that contain the following strings. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.

  • by Anonymous Coward on Sunday August 28, 2011 @01:55PM (#37234986)

    Read about Morto and says it spreads by trying common passwords such as the following:
    When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

      admin
      password
      server
      test
      user
      pass
      letmein
      1234qwer
      1q2w3e
      1qaz2wsx
      aaa
      abc123
      abcd1234
      admin123
      111
      123
      369
      1111
      12345
      111111
      123123
      123321
      123456
      654321
      666666
      888888
      1234567
      12345678
      123456789
      1234567890

  • by mkraft (200694) on Sunday August 28, 2011 @02:01PM (#37235016)

    From what I've read [f-secure.com], the worm isn't using an exploit. It's simply trying to log in using a set of common and easy to guess passwords. If you use strong passwords, then your machine won't be compromised. Though flood of RDP access requests could amount to a denial of service attach.

    • by FlavorDave (109495) on Sunday August 28, 2011 @02:07PM (#37235074) Homepage

      Since RDP is a necessary evil for administering remote windows PCs at least change the fracking port...

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

      • by Culture20 (968837)
        And use an auto-lockout system or auto-firewall (if one exists) like fail2ban. Windows log parsing and firewall can be scripted, but I don't know if anyone's bothered.
        • It is already possible to do something like "after 10 failed attempts in 2 minutes, lock account for 5 minutes". Very unlikely to be an inconvenience, but good luck bruteforcing @ 1 attempt every 12 seconds.

          It does raise the potential for a type of administrative DDOS, of course, but presumably knowing that there is an attack is better than not knowing.

      • by rubycodez (864176)
        nonsense, RDP (and most other tcp services) can be quickly scanned and identified on ANY port
        • by 0123456 (636235) on Sunday August 28, 2011 @02:43PM (#37235296)

          nonsense, RDP (and most other tcp services) can be quickly scanned and identified on ANY port

          Of course if you're serious about security then a port-scan would be logged and blocked. They'd need to compromise multiple machines or scan at a very slow rate in order to be able to get past such a firewall.

          • by KiloByte (825081)

            The whole point of a worm is that they have multiple machines.

            • Re: (Score:2, Informative)

              by 0123456 (636235)

              The whole point of a worm is that they have multiple machines.

              Not on my internal network.

              And if you have RDP open to the Internet you're so retarded there's no saving you.

          • by drinkypoo (153816)

            Of course if you're serious about security then a port-scan would be logged and blocked.

            Really? Only if I either run a software firewall more complex than the one that comes with Windows, or put each machine on its own VLAN and route between them on the switch, and then use some detection software triggered from there...

            The threat here is that one machine will be infected by whatever means and then infect other machines on the same LAN, because nobody's firewall is going to pass RDP anyway.

          • If theyre targetting you specifically, they will do such a slow scan, and be changing IPs. Changing the port is enough to lower your profile and make you less conspicuous, but its not a serious safeguard.

        • Would you rather have 1000 bots attacking a server or 900? Obviously in a perfect world we would cut it down to 0, but eliminating scripted attacks on poorly secured servers is better than doing nothing.
        • You're correct, but most worms don't try to scan every port. They need to quickly find their next target, and scanning for one port is much quicker than for over 65,000 of them.

          Also, remember they're looking for total dumbasses that put things like "admin" as their password. Pretty sure that people that run RDP on port 6384 don't have trivial passwords.

        • by bloodhawk (813939)
          Why would any competent admin be allowing port scans to hit their servers? They invented this cool thing a little while ago called a firewall.
      • Good idea. I agree. I switch ports for things, too. Helps to avoid worms. But...

        Scanned at 2011-08-28 11:37:25 PDT for 54s
        PORT STATE SERVICE VERSION
        3390/tcp open microsoft-rdp Microsoft Terminal Service

        It's still possible to see where your RDP port is. So a dedicated attacker or a port-scanning worm (I'd be amused to see one of those) uncovers your hide.

        What about adding port knocking?

      • by Nemyst (1383049)

        I wanted to do that so I could remote to my home PC from university... The firewall there blocks all ports except 3389 and a few others like 21 or 80.

        Security impeding security, wee!

        • by omglolbah (731566)

          Set up SSH, you can do port tunneling that way.

          I have port 443 on my server set up to accept SSH, that way I can get through 99% of 'work' type firewalls and get to my stuff :)

      • by sgt scrub (869860)

        If someone uses 12345 for the password do you really think they would have the slightest clue as to what your post means? You need to spell it out for them using baby talk. 1) double clicky on the....

      • Or instead do you just use strong passwords?

        That is what the issue with this worm is: Weak passwords. Go read the MS doc and see just how weak I'm talking about: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A [microsoft.com].

        This kind of shit affects SSH as well. We periodically whack IPs in China that beat on our SSH servers. They try the same password list over and over, they aren't sophisticated, just looking for weakly passworded stuff.

        The answer isn't to move the po

        • by jedidiah (1196)

          Been using fail2ban for YEARS to automatically detect and ban brute force ssh cracking attempts. ...before I knew about fail2ban, I had my own homegrown script that did the same thing. Was pretty easy to cook up too.

        • This kind of shit affects SSH as well.

          Only if you're dumb enough to actually use passwords for SSH. Does RDP even *support* encryption keys? (honest question)

      • You could also simply do a static port mapping, if your firewall/router supports it, to change which external port is natted to your server. Tends to be a lot easier than trying to keep track of scads of servers and which port is which pc.

        But generally, if im allowing straight up RDP access to the server, there is a strong password in place; changing the port wont stop a detailed scan, which would pick up "RDP" pretty quick. Theres not much substitute for a good password, port changing just stops simple w

    • Someone else linked to the MS info on it: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A [microsoft.com] and it just goes and trys weak passwords... EXTREMELY weak passwords. Also looks like Vista/7 2008/2008R2 are default secure since it trys against "administrator" which is not an account you can actually log in as if UAC is on.

      So as long as your password isn't monkey-fuck retardedly easy, should be a non-issue. If it is this weak, well then you really need to get a be

    • by jedidiah (1196)

      Sounds like the sort of thing that you might expect to happen and even guard against with things like fail2ban or a homegrown script that does the same thing.

      You would also need to correctly guess a suitable user account too.

  • by Pop69 (700500) <billy@benart y . co.uk> on Sunday August 28, 2011 @02:19PM (#37235134) Homepage
    If IT and users are connecting to a bare open RDP port then someone fucked up along the way.

    Do it right, require a VPN connection before you allow an RDP connection.
    • by jhoegl (638955)
      Maybe, but I wouldnt want an end users virused system access to my networks or servers.

      RDP offers better limitations to it.
      True, you could close off every port but 3389 to the VPN, you could limit access to only one server, but then the requests start coming in...
      Besides, wouldnt an SSL RDP session be more viable?
      • RDP is already encrypted as of 2003 server (via TLS)... though you don't get client-keys... the issue here is weak passwords, the same issue exists for SSH, short of client keys.
      • by Kalriath (849904)

        SSL RDP? Oh, right - Remote Desktop Gateway. Yes, that's possible as of 2008 Server. Essentially tunnels a Remote Desktop connection over HTTPS, with certificate validation and stuff. Theoretically, you can also configure (as of 2003 I think) your remote desktop connection to use Smart Cards to authenticate rather than passwords... you see where this is going.

        • Weird. Slashdot lets positive contributors disable ads, but not financial contributors.

          That's because if they did, you could simply pay for the right to be an asshole.

          (I know, I know....you can still be an asshole with ads.....)

    • by rubycodez (864176)
      what if admin dumb enough to choose 1234546 also gives everyone and their aunt tilly the certificates and keyfile for the vpn by plain email?
    • Do it right, require a VPN connection before you allow an RDP connection.

      Why exactly do you think that increases security? Most VPNs that I've seen use the AD domain password which means once the attacker gains access to the VPN, they can access all the network shares, terminal servers whatnot. You are equally f'ed in both cases. Also, the current RDP implementation uses TLS which is stronger than e.g. PPTP's RC4, still a widely used because it's so easy to set up.

      I see this stupidity all the time: you are required to connect to a PPTP VPN, with access to the company LAN to boot

    • Um, VPN connection can be bruteforced too. Why is it more secure to offer a service to the internet which grants access to the whole network, than to open a service which grants access to one machine?

      Im not really clear on this. RDP uses SSL and is generally regarded as secure. You can easily limit the rate at which passwords can be tried. Please, explain.

  • by Opportunist (166417) on Sunday August 28, 2011 @02:57PM (#37235394)

    Insecure admin passwords allow remote connections and lead to compromised computers. More details after the film.

Never tell people how to do things. Tell them WHAT to do and they will surprise you with their ingenuity. -- Gen. George S. Patton, Jr.

Working...