In association with heise online

29 August 2011, 13:27

Worm spreads via Windows Remote Desktop

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Botnet icon

Anti-virus software vendor F-Secure is warning of a piece of malware by the name of Morto, which spreads using Windows' Remote Desktop Server (RDP server). It does not exploit a Windows security vulnerability; instead, it scans IP address ranges for RDP port 3389 and then tries to log in as an administrator to any computers which respond using a list of common passwords.

The worm primarily infects Windows servers, where RDP is frequently activated and accessible via the web to allow remote maintenance. On non-server versions of Windows, RDP server is only included in higher priced versions (Professional and up, under Windows 7) and is deactivated by default. In such a case the port is only accessible from the web if port forwarding has been specifically set up for this port on the router. If port forwarding is not set up, a system will only be accessible from other infected computers on the network.

To infiltrate a system permanently, the worm creates an A:\ drive, which can then be addressed as a network share via RDP. It then saves a file a.dll to the network share; this file then initiates the infection. The worm then goes on to create more files including \windows\system32\sens32.dll and \windows\offline web pages\cache.txt.

Once installed on a newly infected computer, the worm sets about spreading further – as a result of which the Internet Storm Center has observed a huge spike in RDP port traffic. The malware is also able to perform standard bot functions – it contacts a series of domains to obtain new commands and components. Microsoft has published a detailed analysis of Morto.

Morto was first spotted in the middle of last week. Microsoft's Technet forum saw a cluster of reports of fully patched systems generating unusually high levels of traffic on port 3389. At that point, Morto was not yet detected by any anti-virus software packages.

Morto is now detected by Microsoft and F-Secure products, with other major vendors likely to follow suit. To prevent the bot from logging onto their systems, users should protect their computers by not using easy to guess passwords.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit