Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Worm Morto Using RDP To Infect Windows PCs

Posted by timothy on from the my-heart-goes-out-to-you dept.

Trailrunner7 writes "A new worm called Morto has begun making the rounds on the Internet, infecting machines via Remote Desktop Protocol. The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows. Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003."

26 of 200 comments (clear)

  1. Finally by jhoegl · · Score: 2

    A lot of IT uses RDP to access servers remotely. Terminal Services is also used heavily by companies.

    So I was wondering when someone would find and then use an exploit against them. It was only a matter of time :(.

    The good news is the damage may be minimal as it seems to only effect 2k3 R2 servers, at least that is what is reported. It may be all of 2k3 or all 2k3/2k8.

    1. Re:Finally by jhoegl · · Score: 5, Informative

      Hmmmm, after reading the article, I do not see any actual exploit being used and it is required that the server or account that was seemingly brute forced (only possible way) is required to have some GPO allowances such as root C or D drive access, the execute permissions on that drive.

    2. Re:Finally by jhoegl · · Score: 3, Informative
      Yup, brute force... From a post in the linked thread

      And in my current knowledge, if you get infected, it means you have way too EASY PASSWORD.- Meitzi

    3. Re:Finally by jhoegl · · Score: 3, Informative

      And lastly.... MS already has an entry for it.

      http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A

    4. Re:Finally by jhoegl · · Score: 5, Interesting
      Finally finally... LOL

      If you get hacked, you deserve it.

      Compromising Remote Desktop connections on a network: Port 3389 (RDP)
      Worm:Win32/Morto.A cycles through IP addresses on the affected computer's subnet and attempts to connect to located systems as administrator using passwords from the following list:

      *1234
      0
      111
      123
      369
      1111
      12345
      111111
      123123
      123321
      123456
      168168
      520520
      654321
      666666
      888888
      1234567
      12345678
      123456789
      1234567890
      !@#$%^
      %u%
      %u%12
      1234qwer
      1q2w3e
      1qaz2wsx
      aaa
      abc123
      abcd1234
      admin
      admin123
      letmein
      pass
      password
      server
      test
      user

    5. Re:Finally by bwintx · · Score: 2
      TFA article lists "RavMonD" and "zhudongfangyu" as processes the worm tries to stop, not as passwords it attempts.

      Terminates processes
      Morto.A terminates processes that contain the following strings. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.

      --
      Discussion System prefs link: http://slashdot.org/users.pl?op=editcomm
    6. Re:Finally by Anonymous Coward · · Score: 5, Informative

      This is not the complete list of what happens.

      I battled this since August 18th, and had identified all the command/control IPs and domains and submitted them to MS--and also identified the files for them and sent them in a zip.

      MS initially had us run a boot disk and multiple scanners and found nothing. I had even asked for some advice on how to properly mitigate network usage *from the server* as the 1000s of connection attempts were nailing the firewall (which was now blocking all outbound 3389 attempts as well) and the arp caches of the network switches--doing a packet sniff, I could see the network gear turned into hubs from switches because the MAC tables couldn't keep up.

      I also had a user get kicked off their machine by a service account that hadn't existed before the virus hit. That machine had 63 malware programs on it--not cookies, but exes and dlls.

      The infections are entirely not due to bad passwords. Once infected it goes out and uses that simple list. You know there are places that have these passwords. Simply having 3389 open is bad, as you can get randomly hit, with an exploit vector as well. Newly installed machines with passwords that were ludicrously complex were also getting infected. The virus also will check out your local network subnet and blast that and similar networks--if you are on 10.10.10.0, it will also blast 10.10.9.0 and 10.10.11.0, for example.

      Anyway there had to be three or four revisions of this patch before it was posted about here. It came out late Friday night, soon after we sent the files. MS only really started taking us seriously (it seemed) when other customers started reporting the same thing. The virus could be manually cleaned but it didn't fix the infection, so you could clean a machine and get it reinfected. The signatures should help prevent further issues, but expect a new critical update patching the actual problem in addition to this cleaning it.
       

    7. Re:Finally by Lumpy · · Score: 2

      You should also already have DROP rules for all IP addresses coming from outside countries you dont have workers in already.

      We dont have any asian, eastern or russian workers so I block all those countrues in the firewall. it reduces risk and traffic significantly.

      I also have the firewall add a 24 hour drop rule for any IP address that attempts a connection and gets a rejection more than 5 times to a port in 20 minutes.

      Passwords are your second line of defense, your firewall is your first.

      --
      Do not look at laser with remaining good eye.
    8. Re:Finally by Kalriath · · Score: 2

      Flamebait much? (And I have mod points, just preferred not to use 'em).

      Someone having an MS qualification does not make them a bad sysadmin. There are equally shitty Unix sysadmins out there. A stupid sysadmin is a stupid sysadmin no matter who issued their certificate.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    9. Re:Finally by snowgirl · · Score: 2

      Weird... when you typed hunter1, all I saw were asterisks.

      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
    10. Re:Finally by EdIII · · Score: 2

      Lol, I love it.

      666666
      888888

      No....not 777777. They'll be expecting that.

      Come on, it's Two Thousand Fucking Eleven. We still have people setting local admin passwords to "admin" and 123?

      Dude... I am crying right now with how hard I am laughing. I might pee myself.

      I swear, I absolutely swear that I had a user so.... "inept" and "unsmart" that the only password the user could remember was 7777777. I'm not kidding. He was management and had problems remembering people's names. We tried giving him different passwords, especially on other systems, and it spawned endless IT calls for help with his password. I mean simple passwords, like grouped names.

      Nope. Could not handle it. Other things in the company he could actually do, which is why they kept him. Idiot Savant when it came to sales and marketing. Passwords? It was like working with a real life monkey.

      I had arguments with upper management about security. Oh, boy did I. I always brought up dictionary attacks and brute force ..... and that he... was vulnerable.

      Apparently not true. TOTALLY SAFE . The irony of the whole thing. My sides hurt.

    11. Re:Finally by datapharmer · · Score: 2

      once you have access to the command line you can then use it to transfer exploitable code to the windows temporary folder. This puts an attack vector in place. Disconnect, then reconnect with the command to execute your payload - this command is executed before policies are enforced. tah-dah.

      --
      Get a web developer
  2. Poor Passswords are the problem by Anonymous Coward · · Score: 3, Informative

    Read about Morto and says it spreads by trying common passwords such as the following:
    When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

      admin
      password
      server
      test
      user
      pass
      letmein
      1234qwer
      1q2w3e
      1qaz2wsx
      aaa
      abc123
      abcd1234
      admin123
      111
      123
      369
      1111
      12345
      111111
      123123
      123321
      123456
      654321
      666666
      888888
      1234567
      12345678
      123456789
      1234567890

    1. Re:Poor Passswords are the problem by DarkOx · · Score: 4, Informative

      I generally agree that moving well know services to alternate ports is a waste of time at best and a headache at worst, for most services.

      Port scanners should not be effective tools in a high security environment though. You should have and IDS that can detect a scan, even if its a coordinated scan from multiple hosts. That IDS should be able to shun those hosts. There is no reason why in 2011 you can't make it prohibitively difficult for the vast majority of would be attackers to run a port scan against your hosts. In which there may be value in moving hi-value targets like administrative interfaces to lesser know ports, generally legitimate people using those interfaces won't be terribly inconvenienced.

      Will the guy commanding a 10K machine botnet spread over thousands of networks still be able to scan you and find whatever, certainly yes. If your common threat model really includes that guy though you really operating in a different reality than most of us; for the rest snort, iptables and some shell scripts, or {pick commercial vendor solution} here goes a long way.

      In 1997 and unprotected host was not good enough anymore, you needed a firewall
      In 2000 you needed a stateful firewall
      In 2005 you needed a application layer firewall
      Its 2011 you need IDS / IPS
      The arms race continues....

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    2. Re:Poor Passswords are the problem by Lumpy · · Score: 2

      "There is no reason why in 2011 you can't make it prohibitively difficult for the vast majority of would be attackers to run a port scan against your hosts"

      Yes there is. Competent Network people and up to date networking hardware to do this cost money. Executives would rather continue to run on the out of date Nokia Firewalls they bought in 2003 and hire employees who are happy to get $25,000 to $35,000 instead of having a budget that is realistic and pay-scales that attract competent employees.

      THIS is the reason that in 2011 you cant have in place mechanisms that difficult for an attacker to gain a foothold in your company.

      --
      Do not look at laser with remaining good eye.
  3. A non-issue for people who use strong passwords by mkraft · · Score: 4, Informative

    From what I've read, the worm isn't using an exploit. It's simply trying to log in using a set of common and easy to guess passwords. If you use strong passwords, then your machine won't be compromised. Though flood of RDP access requests could amount to a denial of service attach.

  4. ...or that hate default ports... by FlavorDave · · Score: 4, Informative

    Since RDP is a necessary evil for administering remote windows PCs at least change the fracking port...

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

    1. Re:...or that hate default ports... by 0123456 · · Score: 3, Insightful

      nonsense, RDP (and most other tcp services) can be quickly scanned and identified on ANY port

      Of course if you're serious about security then a port-scan would be logged and blocked. They'd need to compromise multiple machines or scan at a very slow rate in order to be able to get past such a firewall.

    2. Re:...or that hate default ports... by asdfghjklqwertyuiop · · Score: 2

      Public key authentication / certs is an option on good VPN systems. If such a thing exists for RDP it is very rarely used.

  5. Require a VPN connection by Pop69 · · Score: 3, Informative

    If IT and users are connecting to a bare open RDP port then someone fucked up along the way.

    Do it right, require a VPN connection before you allow an RDP connection.

    1. Re:Require a VPN connection by jhoegl · · Score: 2

      Maybe, but I wouldnt want an end users virused system access to my networks or servers.

      RDP offers better limitations to it.
      True, you could close off every port but 3389 to the VPN, you could limit access to only one server, but then the requests start coming in...
      Besides, wouldnt an SSL RDP session be more viable?

    2. Re:Require a VPN connection by LordLimecat · · Score: 2

      Um, VPN connection can be bruteforced too. Why is it more secure to offer a service to the internet which grants access to the whole network, than to open a service which grants access to one machine?

      Im not really clear on this. RDP uses SSL and is generally regarded as secure. You can easily limit the rate at which passwords can be tried. Please, explain.

  6. Re:Infecting Windows -- Too Easy by magamiako1 · · Score: 5, Informative

    This has nothing to do with "hacking windows". This has everything to do with brute forcing passwords.

    This same thing can happen with SSH, FTP, and any other service that uses password authentication.

    In Linux, you install "fail2ban" to slow down brute force attempts.

    In Windows, you use secpol.msc > Account Policies > Account Lockout Policy to accomplish the same task.

    In all systems, you use more complex passwords or two-factor authentication to avoid this.

    PS: This is only affecting idiots.

  7. Whoa, Newsflash! by Opportunist · · Score: 2

    Insecure admin passwords allow remote connections and lead to compromised computers. More details after the film.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. Re:Infecting Windows -- Too Easy by Opportunist · · Score: 3

    At least RTFM before posting. The system is helpless against a user that uses "12345" as a root password.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Re:Infecting Windows -- Too Easy by Billly+Gates · · Score: 3, Funny

    "You would think that hackers might see there is no honor in hacking windows.
    "
    I don't know

    I read a comment here from some guy named anonymous coward that stated Windows is just as secure as Unix and MacOSX and it is only hacked because more people use it. After all IE 6 and IE 7 are staples of good security and coding according to him. More people use it ... thats it!

    --
    http://saveie6.com/