The Morto worm recently rose to fame as the only worm to leverage the Microsoft RDP protocol to propagate. Worms are rare these days so any new worm is interesting.
How does it work?
Morto scans the LAN for systems running RDP (TCP port 3389). Once RDP is found the worm attempts a dictionary attack on the Administrator account. Upon successful login the remote hard drive is mounted and Morto copies itself to the remote PC. Using the Regedit command the DLL previously copied over is automatically loaded into memory and the worm is off and running again.
Should I be worried?
Morto represents the continued ingenuity of the Malware community. Although it didn’t pack a dangerous payload it should be a wakeup call to IT administrators worldwide because it exploited weak configurations. Morto was packaged with only 36 guessable passwords, such as “123,” “Admin,” and “password.”
How can I prevent it?
Don’t forget about the local administrator account on your computers. Ensure the same password policies apply to local accounts as they do the domain level accounts. Disable RDP services if not needed and keep all systems protected with anti-malware software.