‘Morto’ Worm Invades Via Weak Windows Passwords

A new worm, called “Morto”, has been infecting machines via Remote Desktop Protocol on Windows machines, according to security researchers.

Morto is the first Internet worm to use RDP as an infection vector, Mikko Hypponen, the chief research officer of F-Secure, wrote on 28 August on the F-Secure News from the Lab blog. Unlike previous automated worms such as CodeRed, Blaster, Sasser and Slammer, which wreaked havoc on enterprise networks, this worm does not exploit any specific Windows vulnerability. Instead, it looks for machines on the network with port 3389, used by RDP and then tries to brute-force the password to take over the machine, Hypponen said.

‘Silly worm’

Marc Maiffret, CTO of eEye Digital Security called Morto a “silly worm” on eEye’s Security In-Focus blog. Morto “appears to simply attempt to compromise systems by trying ~30 common passwords for the Windows Administrator account over RDP,” Maiffret said.

Some of the passwords on its list include admin, admin123, user, test, *1234, letmein, password, server and 1234567890, according to an entry on Microsoft’s Malware Protection Centre (MMPC). Once the worm figures out the weak password, it connects to the remote system and copies itself. Several Morto variants have already been identified.

The malware consists of an installer and a library component that execute the payload, Microsoft wrote on the MMPC page. The installer is a dropper file that executes itself and installs a dynamic link library (DLL) into the Windows directory. The malicious DLL file has the same name as one used by the Registry Editor and contains encrypted configuration information that is executed to download and run at least three additional components.

The worm is successfully infecting machines that are completely patched and on clean installations of Windows Server 2003, according to several posts on Windows help forums. Morto appears to have infected machines running Windows Server 2003, Windows XP and Windows 7 so far.

SANS Institute noticed a spike in traffic traveling on port 3389, which is used by RDP, a few weeks ago and concluded there was an increase of infected hosts looking to exploit other machines with RDP enabled. Once a system has been successfully infected, Morto scans the local network for even more workstations and servers to infect. The worm also generates a lot of traffic similar to a botnet, receiving commands and downloading files from a command-and-control server and running DNS queries, Microsoft found. Also like a botnet, Morto can be controlled remotely, and researchers have identified multiple servers around the world.

Denial of service

“Although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable,” wrote Hil Gradascevic, a researcher with the Microsoft Malware Protection Centre.

It can also perform denial-of-service attacks against targets specified by the perpetrator, Microsoft said. In fact, it runs a “quick DoS test” against an IP address belonging to Google, wrote security researcher Mila Parkour on the Contagio Malware Dump blog. Google won’t “feel” the DDoS test as it is not really an attack on Google, Parkour said.

Since it spreads through the local area network, Parkour noted that even a virtual machine with the worm can spread it to other VMs and physical machines on the LAN. “Take appropriate measures to prevent it from spreading,” she said.

Morto also terminates processes for locally running security applications so that it can’t be detected, said Gradasevic. Affected services include antivirus tools from Avast, AVG, Clam AV, McAfee and Norton, among others.

It appears to take advantage of systems “not complying to best practices,” wrote Kevin Shott, an incident handler at SANS Institute’s Internet Storm Centre. Not having a strong password for the administrator account is the most glaring violation. Administrators should also never allow RDP directly from the Internet, Maiffret said. At the very least, VPN authentication should be required before gaining access, he said. Administrators can also thwart Morto by simply running RDP on a non-standard port, according to Maiffret.

“This particular worm highlights the importance of setting strong system passwords,” said Microsoft’s Gradascevic. “The ability of attackers to exploit weak passwords shouldn’t be underestimated.”