New Worm Morto Using RDP To Infect Windows PCs 200
Trailrunner7 writes "A new worm called Morto has begun making the rounds on the Internet, infecting machines via Remote Desktop Protocol. The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows. Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003."
Re:Finally (Score:5, Informative)
Poor Passswords are the problem (Score:3, Informative)
Read about Morto and says it spreads by trying common passwords such as the following:
When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:
admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin123
111
123
369
1111
12345
111111
123123
123321
123456
654321
666666
888888
1234567
12345678
123456789
1234567890
Re:Finally (Score:4, Informative)
And in my current knowledge, if you get infected, it means you have way too EASY PASSWORD.- Meitzi
A non-issue for people who use strong passwords (Score:5, Informative)
From what I've read [f-secure.com], the worm isn't using an exploit. It's simply trying to log in using a set of common and easy to guess passwords. If you use strong passwords, then your machine won't be compromised. Though flood of RDP access requests could amount to a denial of service attach.
Re:Finally (Score:4, Informative)
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A [microsoft.com]
...or that hate default ports... (Score:4, Informative)
Since RDP is a necessary evil for administering remote windows PCs at least change the fracking port...
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
Require a VPN connection (Score:4, Informative)
Do it right, require a VPN connection before you allow an RDP connection.
Re:Infecting Windows -- Too Easy (Score:5, Informative)
This same thing can happen with SSH, FTP, and any other service that uses password authentication.
In Linux, you install "fail2ban" to slow down brute force attempts.
In Windows, you use secpol.msc > Account Policies > Account Lockout Policy to accomplish the same task.
In all systems, you use more complex passwords or two-factor authentication to avoid this.
PS: This is only affecting idiots.
Re:Poor Passswords are the problem (Score:5, Informative)
I generally agree that moving well know services to alternate ports is a waste of time at best and a headache at worst, for most services.
Port scanners should not be effective tools in a high security environment though. You should have and IDS that can detect a scan, even if its a coordinated scan from multiple hosts. That IDS should be able to shun those hosts. There is no reason why in 2011 you can't make it prohibitively difficult for the vast majority of would be attackers to run a port scan against your hosts. In which there may be value in moving hi-value targets like administrative interfaces to lesser know ports, generally legitimate people using those interfaces won't be terribly inconvenienced.
Will the guy commanding a 10K machine botnet spread over thousands of networks still be able to scan you and find whatever, certainly yes. If your common threat model really includes that guy though you really operating in a different reality than most of us; for the rest snort, iptables and some shell scripts, or {pick commercial vendor solution} here goes a long way.
In 1997 and unprotected host was not good enough anymore, you needed a firewall
In 2000 you needed a stateful firewall
In 2005 you needed a application layer firewall
Its 2011 you need IDS / IPS
The arms race continues....
Re:...or that hate default ports... (Score:2, Informative)
The whole point of a worm is that they have multiple machines.
Not on my internal network.
And if you have RDP open to the Internet you're so retarded there's no saving you.
Re:Finally (Score:5, Informative)
This is not the complete list of what happens.
I battled this since August 18th, and had identified all the command/control IPs and domains and submitted them to MS--and also identified the files for them and sent them in a zip.
MS initially had us run a boot disk and multiple scanners and found nothing. I had even asked for some advice on how to properly mitigate network usage *from the server* as the 1000s of connection attempts were nailing the firewall (which was now blocking all outbound 3389 attempts as well) and the arp caches of the network switches--doing a packet sniff, I could see the network gear turned into hubs from switches because the MAC tables couldn't keep up.
I also had a user get kicked off their machine by a service account that hadn't existed before the virus hit. That machine had 63 malware programs on it--not cookies, but exes and dlls.
The infections are entirely not due to bad passwords. Once infected it goes out and uses that simple list. You know there are places that have these passwords. Simply having 3389 open is bad, as you can get randomly hit, with an exploit vector as well. Newly installed machines with passwords that were ludicrously complex were also getting infected. The virus also will check out your local network subnet and blast that and similar networks--if you are on 10.10.10.0, it will also blast 10.10.9.0 and 10.10.11.0, for example.
Anyway there had to be three or four revisions of this patch before it was posted about here. It came out late Friday night, soon after we sent the files. MS only really started taking us seriously (it seemed) when other customers started reporting the same thing. The virus could be manually cleaned but it didn't fix the infection, so you could clean a machine and get it reinfected. The signatures should help prevent further issues, but expect a new critical update patching the actual problem in addition to this cleaning it.