I haven’t seen a Windows worm in the wild in a long time. The last time a major worm infestation took place was in 2003 in the days of Blaster which spread via an unpatched flaw in RPC. That same year was Slammer, and Code Red a few years before in 2001.
This new worm code named ‘Morto’ has been seen in the wild and is accounting for a spike in RDP traffic on 3389/tcp as it spreads. Users are reporting infections of systems on Microsoft’s Technet website.
Morto appears to be a dumb worm and doesn’t actually exploit anything but people’s stupidity. Morto is simply attempting to guess weak passwords for the Administrator account via RDP.
The following password list is being used:
admin password server test user pass letmein 1234qwer 1q2w3e 1qaz2wsx aaa abc123 abcd1234 admin123 111 123 369 1111 12345 111111 123123 123321 123456 654321 666666 888888 1234567 12345678 123456789 1234567890
If Morto successfully guesses a password it then proceeds to mount the remote C: and D: drives and copy a version of itself over. Once it has copied itself to a new victim it scans the local subnet that the newly compromised box is located on and attempts to spread to neighboring machines via the same method.
Compromised machines are fully controllable remotely. Command and control servers have been noted to be jaifr.com and qfsl.net.
Morto is currently being identifed by F-Secure AV as Backdoor:W32/Morto.A and Worm:W32/Morto.B
How do you protect yourself from this new squirmy foe? Simple, don’t use dumb passwords for critical accounts including the Administrator account. Furthermore, don’t ever have RDP open to the internet. We’ve been telling everyone this for years now.