Morto worm spreads via RDP, brute-forces Administrator accounts

There’s a new worm in town and it’s the first one that spreads by taking advantage of the Remote Desktop Protocol (RDP).

“Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled,” explains F-Secure. “This creates a lot of traffic for port 3389/TCP, which is the RDP port.”

When such a machine is found, the worm proceeds to try to brute-force its way to an Administrator account. It tries around thirty most often used passwords (admin, password, 111111, 12345, and similar).

“Once a new system is compromised, it connects to a remote server in order to download additional information and update its components,” warns Microsoft. “It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted.”

According to Microsoft’s analysis, Morto’s main functionality seems to be launching DDoS attacks against attacker-specified targets.

Morto is capable of infecting both Windows workstations and servers. According to some comments by infected users, it seems that running a completely patched system doesn’t do much for protecting it, as the worm does not exploit a vulnerability in the software, but the unfortunate user tendency of choosing a poor password.

As a number of Morto variants have been spotted already, and the number of infected hosts is rising, users are advised to either change the password for the Administrator account to something much more complex, or to disable their Remote Desktop Connection if it’s not needed.

Don't miss