In-Depth

New Windows Worm Exploits IT Sloppiness

Silly or not, the Morto worm has caused a good bit of mischief.

Microsoft Corp.'s Remote Desktop Protocol (RDP) has had its share of security vulnerabilities since it first debuted almost 12 years ago, but it's never seen the likes Morto. Neither, for that matter, has the security industry, which has only just come to grips with an unconventional attack that at least one expert dismissed as "silly." Silly or not, Morto has caused a good bit of mischief.

Morto is the name of a new RDP-specific worm that's caused an uptick in RDP-related traffic and (in several thousand cases) has successfully compromised Windows systems.

What's more, Morto doesn't target flaws in RDP or in Microsoft's RDP-ready operating systems: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. No, Morto's success is due largely to sloppiness on the part of IT.

The Morto worm scans for Windows systems listening on the default RDP port (3389) and cycles through common username and password combinations to try to successfully gain access to a system.

In other words, if Morto successfully logs on as "Administrator" -- which is precisely what it tries to do -- it gains the keys to the kingdom.

According to Microsoft, Morto has spread to both consumer and enterprise systems in 87 countries. It first came to the attention of security researchers in early August, when the SANS Institute's Internet Storm Center (ISC) alerted security watchers to a jump in RDP-related requests. Through most of July, SANS had been logging between 500 and 1,000 sources scanning for RDP ports on a daily basis; on July 29, the number shot up to 3,500.

By late August, SANS was logging between 25,000 and 35,000 sources scanning as many as 110,000 targets every day.

Microsoft, for its part, says it has detected Morto on about 1,000 unique computers -- far less than the tallies it cites for threats such as Sality or IRCbot.

Security specialist F-Secure was the first of the big security vendors to publish information on Morto. In a late-August posting on F-Secure's "News from the Lab" blog, at about the same time that SANS was logging an outright explosion in RDP-related traffic, F-Secure's Mikko Hypponen fingered the culprit: Morto, which he said uses "a new spreading vector that we haven't seen before: RDP."

When Morto compromises a system, it downloads updates and instructions from a remote server. According to a posting on Microsoft's Malware Protection Center (MMPC) blog, Morto "also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted."

The MMPC says that Morto disproportionately affects Windows XP hosts, and Windows XP systems account for the overwhelming majority (almost three-quarters) of infected systems.

Over the last few weeks, however, Morto has successfully compromised Windows 7 (about 14 percent of all detections), Windows 2008 (about 2 percent), Windows Vista (2 percent), and Windows Server 2003 (8 percent) systems, too.

Because of the way RDP is implemented in both Windows XP and Windows Server 2003, both platforms are vulnerable to man-in-the-middle attacks. Although this is less of a concern internally, on a private, non-routable internetwork, it's a much bigger issue externally, on the public Internet.

For this reason, Microsoft recommended that Windows XP and Windows Server 2003 customers only use RDP in conjunction with VPN software.

The version of RDP that ships with Windows Vista, Windows Server 2008, and Windows 7 has thus far proved resistant to man-in-the-middle attacks.

Morto's success has nothing to do with a flaw -- endogenous or otherwise -- in Microsoft's RDP implementation. Nor does it involve an as-yet-unpatched RDP vulnerability. There's a sense that Morto's notoriety is ridiculous. Its attack uses a single username -- "Administrator" -- and a list of 30 common passwords, including "admin," "administrator," and the aptly-descriptive "letmein."

For this and other reasons, Marc Maiffret, chief technology officer (CTO) with eEye Digital Security, calls Morto "silly." In a blog post entitled "1999 Called, It Wants Its Morto Worm Back," Maiffret said that Morto reminds him of automated worms like CodeRed, SQL Slammer, Sasser, and Blaster -- with a key difference.

"[A]t least most of those were actually leveraging a software vulnerability to exploit and gain control of a system. Morto on the other hand appears to simply attempt to compromise systems by trying [approximately] 30 common passwords for the Windows Administrator account over RDP," wrote Maiffret, who co-discovered the original "Code Red" worm over a decade ago. Maiffret and other experts stress that Morto's potential impact could be lessened -- if not completely blunted -- if shops simply followed common security best practices, such as changing or disabling the Windows "Administrator" username, not exposing port 3389 -- the default RDP port -- to Internet traffic, and, perhaps most important of all, enforcing strong password requirements. "This particular worm highlights the importance of setting strong system passwords. Using strong passwords can go a long way towards protecting your environment -- and the ability of attackers to exploit weak passwords shouldn't be underestimated," wrote Hil Gradascevic on Microsoft's Malware Protection Center (MMPC) blog.

Must Read Articles