Spreading Morto worm affects RDP

Spreading rapidly in the wild and infecting Windows workstations and servers
Kerry Butters

August 30, 2011

A new worm has been discovered that spreads through the Remote Desktop Protocol (RDP) and infects Windows workstations and servers.

Morto is a new type of worm discovered recently and is said to be spreading rapidly in the wild. Once it has found its way onto a network, the malware begins a scan for other machines on the network that have RDP enabled.

It then copies itself to local drives on vulnerable computers as a dll file and creates a number of other files on the infected machine. When the dropper is executed a dll component is installed which carries the same name as a genuine dll, thus making cleaning more difficult.

The dummy dll is loaded once a user attempts to load regedit which then allows the malicious software to download and execute new components.

The worm came to the attention of Microsoft and F-Secure after it was reported by users that they were seeing an unusually high amount of traffic through RDP.

It is thought that the worm mostly attacks systems that use weak passwords such as ‘admin’ and tries a number of known combinations in order to force its way into a system. The intention behind the creation of the malware appears to be to use infected systems to perform DDoS attacks on unknown targets.

At the end of last week, users were reporting on a Microsoft forum that although they were aware that something odd was going on, nothing was picked up when they used a variety of AV scanners.

Having a fully patched system also wasn’t helping as the worm doesn’t spread through a vulnerability as such, although weak passwords could be viewed as such.

It is recommended that all administrator passwords on Windows systems are changed to be more complex and secure, or if RDP isn’t necessary on the network, then it should be disabled.


Post a comment

Your email address will not be published. Required fields are marked *

Visited 2418 times, 1 so far today