A new worm, which has been named Morto, has surfaced on the Internet in the last few days, according to a diary post at the SANS Internet Storm Center. It infects machines via the Remote Desktop Protocol [RDP], developed by Microsoft, and is capable of compromising both Windows servers and workstations. A key symptom of Morto infection is a very large amount of outbound traffic on TCP port 3389, which is used for RDP; the traffic is the result of the worm searching for other machines to infect via RDP. The attack itself is fairly basic; the worm tries to log in to the target computer using a list of common user IDs (e.g.,
support) and common dumb passwords (e.g.,
password). Once established, the worm attempts to contact one or more remote control servers on the Internet, which can instruct it to launch denial-of-service attacks. It also attempts to terminate any running processes with names in a list of those commonly used by anti-malware tools.
This is the first prominent worm we have seen for a while, and the first to use RDP as an infection vector. At one time, worms like SQLSlammer were quite common, but more targeted attacks for monetary gain have been more important recently.
Microsoft has articles describing the original worm, and a new variant, at its Malware Protection Center; these articles give extensive details on how the worm operates. The ThreatPost blog, by security vendor Kaspersky Labs, also has an article on the original worm, and an update on recent developments.
Given the simplicity of the attack mechanism, properly administered systems should not be very vulnerable (surely you do not use ‘1234567’ as a password!), but it is worth checking that you are up-to-date on patches, that your firewall is properly configured, and that you are not running RDP services if they are not required. And if you see a lot of TCP/3389 traffic, it merits a closer look.