Windows Servers & Workstations Vulnerable to Wicked Worm in the Wild

Like a blast from the past, there’s a wicked worm spreading in the wild which can be controlled remotely to launch DDoS attacks against attacker-specified targets.Weak passwords on Remote Desktop connections are exploited. Windows servers and workstations are vulnerable

 

Like a blast from the past, there’s a wicked worm spreading in the wild. Morto, the ‘death’ worm exploits weak passwords to hijack fully-patched Windows servers and workstations via Remote Desktop Protocol (RDP) . Once Morto discovers a Remote Desktop connection, it tries a list of weak passwords to login as Administrator. Then it attempts to terminates anti-virus and popular security-related programs. Morto can be controlled remotely to launch Denial of Service attacks against attacker-specified targets .

According to Microsoft Malware Protection Center, “Morto attempts to compromise Remote Desktop connections in order to penetrate remote systems, by exploiting weak administrator passwords. Once a new system is compromised, it connects to a remote server in order to download additional information and update its components. It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted.” The advisory includes a list of weak passwords:

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

The list is most likely incomplete since there are scattered reports over the web of users being infected when they used other passwords.

On Sunday SANS Internet Storm Center reported that a previously described spike in port 3389 traffic had now spiked “tenfold.” F-Secure posted, “Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port. . . . The infection will create several new files on the system including \windows\system32\sens32.dll and \windows\offline web pages\cache.txt ”

Technet forums has been discussing the “ton of outgoing TCP 3389″ traffic since August 25. WhileMicrosoft Safety Scanner can detect Morto, there are varying opinions on the forum as to if the scanner can permanently remove the death worm. Some users stated that the registry keys need to be cleaned manually. Another user reported Morto “symptoms come back after a while.” Faron Faulk [MSFT] posted, “Are you changing the password that is used for RDP user(s)? If it’s coming back ‘after a while’ that sounds like the attacker is just guessing your password again, possibly.” The reply, however, stated it wasn’t the password yet sens32.dll kept running.

Morto highlights yet another reason to use strong passwords. As the Microsoft Malware Threat Research & Response Blog points out:

When creating strong passwords, remember that the key to a strong password is length and complexity. Here’s a few tips to keep in mind:

  • An ideal password is long and has letters, punctuation, symbols, and numbers.
  • Whenever possible, use at least 14 characters or more.
  • The greater the variety of characters in your password, the better.
  • Use the entire keyboard, not just the letters and characters you use or see most often.

So happy back-to-work-day to you . . . that is if you weren’t working overtime this weekend to battle the death worm. I hope you are not infected with Morto to start your Monday as hijacked RDP connections can launch a botnet-like attack to DDoS your firewall or to attack someone else.