RDP Windows worm spreads by attacking weak passwords

Microsoft brought to light today a new Windows worm, dubbed Morto, that has been making its way though company networks by taking advantage of weak passwords. Morto has been circulating the internet for a week now and was caught when sysadmins noticed large numbers of unexplained connections to the internet.

“Although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable,” Microsoft Malware Protection Center (MMPC) stated.

Morto, being ever so clever, spreads using the Remote Desktop Protocol (RDP). Since Remote Desktop Connection (RDC) requires a username/password to log into a remote computer while running Windows XP, Vista, or 7, Morto scans the network that has RDC enabled and attempts to connect to those systems using a list of commonly used passwords. Once Morto is able to log in, the worm will download additional malware components to the victimized computer and disables security software so it can remain hidden.

Morto’s purpose? Possibly to dish out denial of service attacks against hacker-designated targets. At least, that’s what Microsoft thinks.

One way to find out if you have been infiltrated is by checking your TCP port 3389, as this port is used by a Remote Desktop server monitor for incoming access requests.

“Every 10 min. or so, a flood of TCP 3389 connection attempts out to seemingly random IP addresses. Our firewall is blocking it from getting out and it keeps trying,” a user stated in a Microsoft support forum.

“This particular worm highlights the importance of setting strong system passwords. The ability of attackers to exploit weak passwords shouldn’t be underestimated,” Microsoft stated. Morto utilizes weak passwords such as “qwerty” and “abc123.”

Microsoft recently patched RDP in this month’s Patch Tuesday, but Morto does not exploit that particular vulnerability.