Security Experts:

Lessons Learned from My Relationship with Morto

My brief relationship with the Morto worm lasted exactly 5 days, at least that I know of. She may have been lurking in my life for several weeks before that time; there were times when I would just catch a glimpse of her out of the corner of my eye, but I cannot be sure.

When Morto finally did decide to make herself known there was no mistaking her presence and intent – she froze my life and the lives of my associates for those 5 days. We struggled first with trying to understand what she was all about, then where she lived, and finally how to rid ourselves of her deadly presence.

Morto WormNo, Morto is not a reincarnation of Cujo (Stephen King’s rabid dog), a crazy girlfriend or a sewer reptile. Morto is a computer worm – one that burrows into a computer system and lives to infect other computers and take orders from her botnet herder (yes, really a botnet herder).

Morto found her way into our lives through a test computer that was casually added to our network and opened up to the outside world. As embarrassing as this is for a security guy to say, I have to go even further and tell you the test computer had an easily guessed administrator password (actually, the offending password sits at the top of the ‘easiest passwords in the world to guess’ list). A computer open to the outside world with a dumb admin password – we deserved to be cyber toast.

I caught a faint scent of Morto several weeks before the storm. There were times when I casually asked around if others thought the Internet was particularly slow that day. Each time the speed problems passed and I went back to normal life – maybe just my ops person streaming a tv show again.

Thursday, storm day, began with slow Internet connectivity that dropped to a trickle, and finally disappeared. Our office immediately went into ‘the Internet is down, mill around’ mode. Morto had taken her best shot at stopping our company in its tracks and won. Cell phones were taken out, email was being checked and sent from smart phones and a few of the geeks went home to use their own Internet connections. We made it back up to 50% efficiency pretty quickly.

Let’s stop here and talk about how Morto ended up on my doorstep.

Whether you know it or not, most computer systems support the option to allow a user to login to any computer from anywhere in the world. This Remote Desktop Protocol (RDP) function is a fantastic feature for homes and businesses that require remote technical support (the tech guy has access from anywhere). When RDP is first set up, it defaults to a standard user name (administrator) and password (admin) – this is too often left unchanged.

Morto is one of the first worms to take advantage of this RDP feature and the unfortunate fact is that too many of us leave the standard administrator password as admin (or some equally embarrassing, easily guessed password like, letmein or 1234).

Morto’s goal is to canvas as many of the 9.5 billion computers on the Internet, looking for RDP opportunities. I know that seems a little ambitious, even for a computer worm; we’ll talk more about this in a bit.

While the odds of Morto getting around to me seemed low, she obviously did succeed. Once Morto found her way into my errant test computer she was unstoppable. Unlike many viruses and worms that have to sneak in, Morto does her dirty work as an administrator user – meaning she can do virtually anything she wants within a computer. Within seconds, Morto had installed a very sophisticated bot (short for automated computer robot) on our test machine.

Morto’s bot snuggled down in our computer to pursue her destiny – which, like all living creatures, is to propagate the species. Morto’s first directive was to wander our internal network, looking for other RDP opportunities. In our case, this consisted of eight other computers, none of which were open to the outside Internet, but all of which had weak RDP administrator passwords (an inside job). We were now the unfortunate owners of nine Morto bots, each running its’ own undercover operation on nine separate computers. Morto’s second directive, now being fulfilled within nine of our infected computers, was to help in the canvas of those 9.5 billion Internet-connected computers. Like a chain letter, if Morto can infect ten computers and each of those can infect ten more , etc…

Unfortunately, while the joy of propagation might be sufficient motivation for us humans, Morto has loftier goals - making money. When those nine little bots weren’t going forth to populate the Internet, they were doing what bots all across the Internet do in their spare time – chatting with their bot herder, soldiering in a few Distributed Denial of Service (DDoS) attacks, looking around for some financial information to send back to the boss, and maybe sending out some of those 95 billion spam emails per year that clog our email lives. Bot armies are very profitable business partners.

Finally, because of her ability to install herself in administrator mode, Morto is invisible to most commercial virus/malware protection or detection programs. In fact, Morto is impervious to anything except a boot and scan from an external Linux CD – something most people don't have a chance of understanding.

Let’s get back to my 5 day relationship with Morto. None of the clues we picked up on that first day could have pointed us towards Morto. In fact, if we weren’t unlucky enough to have nine infected computers, each trying their heart out to propagate, we probably wouldn’t have known we had a problem. It was only the combined RDP search traffic of nine machines that brought our network to its knees.

At the urging of the entire office staff, our geeks ran all of the troubleshooting traps. We checked for malware and viruses, confronted our Internet provider (first step of tech support, blame it on the ISP) and swapped the router out (perhaps a hardware problem) – still no clues, and definitely no success.

A long weekend and we’re still on intimate, but unknown, terms with Morto. Monday morning – is it back up yet?

In the tech world, the rule of thumb is to gather data and hope for brilliance. This we did, with the result of identifying the nine infected computers that were spewing out RDP commands. Perhaps not brilliance, and not enough information to identify Morto as the problem, but just a little closer. We did isolate all of the infected machines and ran every virus and malware scan in our arsenal against them. Not only was Morto in deep cover, but she had made subtle changes to the Windows operating system and ran rings around our detection software. We found nothing, but that in itself was a clue.

Day 5 and we finally lined up all the ducks. We identified the massive internal network traffic as RDP related and found a Google report that suggested this might be a Morto infection.

Removal of Morto was much harder than the average bear can handle. Since no Windows-based tool could be used (a smart worm, that Morto), we created a boot CD (one that could start and run a separate operating system from the computer’s CD) that contained a detection and removal program that was current enough to find and destroy the newly minted Morto. This only worked because Morto had not had the chance to modify the operating system on the CD.

With a little geek magic creating the CD and a scan of one of the infected machines, we finally confronted Morto in her own environment. She gave up with no fight and no permanent damage to the formerly infected computers. A lady to the end, this was a business relationship, there was no need to be vindictive.

At the end of day 5 we were finally Morto free. It was a long, frustrating 5 days with several lessons learned along the way:

• We were sloppy with the test computer that brought Morto into our world.

• We spent too much time examining our Internet connection for the problem when we should have looked inward at the same time.

• We initially assumed no virus or malware would ever be good enough to avoid the detection of some of the best removal software in the industry.

We are much smarter now, better protected and our focus will be a lot broader the next time we get hit (there will always be a next time). Having survived this ordeal, I make the offer to provide free email advice to anyone who finds themselves in this same position. We humans need to hang together – it’s a mean cyber world out there.

One more thing, a recent report from Symantec indicates that 25% of all computer systems could harbor invisible (and perhaps virtually undetectable) malware. You might want to think about this. Morto or one of her cousins might be hanging out at your place.

view counter
Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.