Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Microsoft Windows Worm Abuses Weak Password Practices

A new worm targeting Microsoft Windows is squiggling its way around computer networks courtesy of weak passwords.

Dubbed Morto, the worm doesn’t use a vulnerability, but instead propagates by compromising Remote Desktop connections on a network through brute forcing attacks. So far, the overall number of detections is relatively low – researchers at F-Secure put the number in the thousands – but reports of increased traffic on port 3389 prompted Microsoft to issue an advisory about the worm Aug. 28.

A new worm targeting Microsoft Windows is squiggling its way around computer networks courtesy of weak passwords.

Dubbed Morto, the worm doesn’t use a vulnerability, but instead propagates by compromising Remote Desktop connections on a network through brute forcing attacks. So far, the overall number of detections is relatively low – researchers at F-Secure put the number in the thousands – but reports of increased traffic on port 3389 prompted Microsoft to issue an advisory about the worm Aug. 28.

“Once a new system is compromised, it connects to a remote server in order to download additional information and update its components,” blogged Hil Gradascevic, a researcher with Microsoft’s Malware Protection Center. “It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted. Affected users should note that a reboot may be required in order to complete the cleaning process.”

While 74 percent of the computers known to be affected are running Windows XP, infections have also been found on Windows Vista, Windows 7 and Windows Server 2003 and 2008.

In a separate blog post, Microsoft’s Holly Stewart and Matt McCormack noted Morto attempts to compromise more than just the ‘Administrator’ account when brute forcing RDP connections with a dictionary attack. It also tests the affected machine’s Internet connectivity by attempting to connect to IP 74.125.71.104, an IP owned by a legitimate corporation and believed to be unrelated to malware. If unsuccessful, it then cycles through IP addresses on the affected computer’s subnet and attempts to connect to targeted hosts using various usernames such as “admin” or “backup.”

Mikko Hypponen, chief research officer at F-Secure, told SecurityWeek that companies looking to protect themselves should make sure their RDP servers are not exposed to public networks by accident. The next step is to ensure strong passwords are being used that can’t be cracked by a wordlist or reasonable brute force attack, he added.

Marc Maiffret, CTO of eEye, described the worm as reminiscent of older worms such as Slammer and CodeRed, and contended that if “there are companies in this day and age being compromised by Morto, we have bigger problems to worry about than the “APT” or Stuxnet.”

“You should never allow RDP access directly from the Internet, without, at the very least, requiring VPN authentication, before gaining access to corporate servers remotely,” he advised.

More technical details on the worm can be found here.

Related Resource: A Practical Approach to Authentication in an Evolving Enterprise Environment

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.