Talk to a Security Expert Now: (800) 721-9177

New Windows Worm Squirming Through RDP

I haven’t seen a Windows worm in the wild in a long time. The last time a major worm infestation took place was in 2003 in the days of Blaster which spread via an unpatched flaw in RPC. That same year was Slammer, and Code Red a few years before in 2001.

This new worm code named ‘Morto’ has been seen in the wild and is accounting for a spike in RDP traffic on 3389/tcp as it spreads. Users are reporting infections of systems on Microsoft’s Technet website.
Morto appears to be a dumb worm and doesn’t actually exploit anything but people’s stupidity. Morto is simply attempting to guess weak passwords for the Administrator account via RDP.

The following password list is being used:

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin123
111
123
369
1111
12345
111111
123123
123321
123456
654321
666666
888888
1234567
12345678
123456789
1234567890

If Morto successfully guesses a password it then proceeds to mount the remote C: and D: drives and copy a version of itself over. Once it has copied itself to a new victim it scans the local subnet that the newly compromised box is located on and attempts to spread to neighboring machines via the same method.
Compromised machines are fully controllable remotely. Command and control servers have been noted to be jaifr.com and qfsl.net.
Morto is currently being identifed by F-Secure AV as Backdoor:W32/Morto.A and Worm:W32/Morto.B
How do you protect yourself from this new squirmy foe? Simple, don’t use dumb passwords for critical accounts including the Administrator account. Furthermore, don’t ever have RDP open to the internet. We’ve been telling everyone this for years now.

Leave a Reply

Your email address will not be published. Required fields are marked *