"Morto" worm spreading via Remote Desktop connections

Share this article:

A first-of-its-kind worm is currently spreading in the wild via Windows Remote Desktop Protocol (RDP), security firms have warned.

But experts don't believe the malware will become widespread.

Dubbed “Morto,” the worm was discovered on Saturday but was likely propagating for several days before that, Mikko Hypponen, chief research officer at F-Secure, told SCMagazineUS.com on Monday. Morto is unique because it is the first worm to spread via RDP, a technology developed by Microsoft that enables users to connect to their computer remotely. 

“It will enter history books as the first worm that used this vector,” Hypponen said.

The worm, targeting Windows workstations and servers, allows attacks to remotely control an affected system, Hypponen said. In addition, infected machines become part of a botnet that can be used to launch distributed denial-of-service (DDoS) attacks.

To be vulnerable, a machine would need to be enabled for remote use, he said. Most importantly, a user would have to be using a weak password for this connection.

Morto attempts to spread by scanning infected computers' local networks for machines that have RDP enabled. When a Remote Desktop server is found, the malware then attempts to use dozens of weak passwords, such as “123,” “admin” or “password," to login as the administrator.

Upon successfully signing in, the malware then copies itself onto the target machine. Infected servers generate a substantial amount of outgoing traffic for port 3389/TCP as the malware scans IP ranges to find other machines to infect.

Marc Maiffret, CTO of vulnerability assessment and management firm eEye Digital Security, in a blog post Sunday, called Morto “silly” and said it demonstrates that many organizations still fail to cover security basis such as enforcing the use of strong passwords.  

“If there are companies in this day and age being compromised by Morto, we have bigger problems to worry about than the ‘APT' or Stuxnet,” he wrote.

Morto has so far impacted a few thousand servers, Hypponen said. It is, however, nowhere near as fast-moving as other worms, such as Blaster, he added.

Microsoft on Sunday released details about the worm and labeled it as “severe,” its highest alert level, reserved for the most widespread and malicious programs.

“It's important to remember that this malware does not exploit a vulnerability, but instead relies on weak passwords,” Pete Voss, senior response communications manager at Microsoft Trustworthy Computing, said in a statement sent to SCMagazineUS.com on Monday. “We encourage people to use strong passwords to help protect their systems.”

Past infectious worms, such as Conficker, required a vulnerability.

Infection rates also will be slowed anti-virus solutions, Hypponen said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.