The latest Internet worm targeting Windows Remote Desktop Protocol attacks the lowest-hanging fruit: weak administrator passwords. A tip: "letmein" is not a good password.
A new worm, called "Morto," has
been infecting machines via Remote Desktop Protocol on Windows machines,
according to security researchers.
Morto is the first Internet
worm to use RDP as an infection vector, Mikko Hypponen, the chief research
officer of F-Secure, wrote Aug. 28 on the F-Secure News from
blog. Unlike previous automated worms such as CodeRed, Blaster,
Sasser and Slammer, which wreaked havoc on enterprise networks, this worm does
not exploit any specific Windows vulnerability. Instead, it looks for machines
on the network with port 3389, used by RDP and then tries to brute-force the
password to take over the machine, Hypponen said.
Marc Maiffret, CTO of eEye
Digital Security called Morto a "silly worm" on eEye's
blog. Morto "appears to simply attempt to compromise
systems by trying ~30 common passwords for the Windows Administrator account
over RDP," Maiffret said.
Some of the passwords on its
list include admin, admin123, user, test, *1234, letmein, password, server and
1234567890, according to an entry on Microsoft's
Malware Protection Center
(MMPC). Once the worm figures out the weak
password, it connects to the remote system and copies itself. Several Morto
have already been identified.
The malware consists of an
installer and a library component that execute the payload, Microsoft wrote on
the MMPC page. The installer is a dropper file that executes itself and
installs a dynamic link library (DLL) into the Windows directory. The malicious
DLL file has the same name as one used by the Registry Editor and contains
encrypted configuration information that is executed to download and run at
least three additional components.
The worm is successfully
infecting machines that are completely patched and on clean installations of
Windows Server 2003, according to several posts on Windows help forums. Morto
appears to have infected machines running Windows Server 2003, Windows XP and
Windows 7 so far.
SANS Institute noticed a
spike in traffic traveling on port 3389, which is used by RDP, a few weeks ago
and concluded there was an increase of infected hosts looking to exploit other
machines with RDP enabled. Once a system has been successfully infected, Morto
scans the local network for even more workstations and servers to infect. The
worm also generates a lot of traffic similar to a botnet, receiving commands
and downloading files from a command-and-control server and running DNS
queries, Microsoft found. Also like a botnet, Morto can be controlled remotely,
and researchers have identified multiple servers around the world.
"Although the overall
numbers of computers reporting detections are low in comparison to more
established malware families, the traffic it generates is noticeable,"
wrote Hil Gradascevic, a researcher with the Microsoft Malware Protection
It can also perform
denial-of-service attacks against targets specified by the perpetrator,
Microsoft said. In fact, it runs a "quick DoS test" against an IP
address belonging to Google, wrote security researcher Mila
Parkour on the Contagio Malware Dump
blog. Google won't "feel"
the DDoS test as it is not really an attack on Google, Parkour said.
Since it spreads through the
local area network, Parkour noted that even a virtual machine with the worm can
spread it to other VMs and physical machines on the LAN. "Take appropriate
measures to prevent it from spreading," she said.
Morto also terminates
processes for locally running security applications so that it can't be
detected, said Gradasevic. Affected services include antivirus tools from
Avast, AVG, Clam AV, McAfee and Norton, among others.
It appears to take advantage
of systems "not complying to best practices," wrote Kevin Shott, an
incident handler at SANS Institute's Internet Storm Center. Not having a strong
password for the administrator account is the most glaring violation.
Administrators should also never allow RDP directly from the Internet, Maiffret
said. At the very least, VPN authentication should be required before gaining
access, he said. Administrators can also thwart Morto by simply running RDP on
a non-standard port, according to Maiffret.
"This particular worm
highlights the importance of setting strong system passwords," said
Microsoft's Gradascevic. "The ability of attackers to exploit weak
passwords shouldn't be underestimated."