Security companies have discovered a new worm that tries to hijack poorly-secured servers by using RDP connections from PCs on the same network to harvest their logins.
Dubbed ‘Morto’ by Microsoft (Sophos: Troj/Agent-TEE), the worm displays a disarming mixture of sophistication and directness in its search for server prey.
Once it has loaded itself as a hard-to-detect service within the Windows svchost.exe, the malware opens a Remote Desktop Protocol (RDP) connection on port 3389, Morto cycles through IP addresses it detects on any subnets and tries to connect using a simple dictionary list of password possibilities.
These include obvious variants on ‘admin’, but also common first names, ‘guest’, ‘root’, ‘console’, various trivial number sequences and the old favourite ‘password’.
If it hits lucky with a server, it then copies itself to the victim system and tries to elevate its own process to gain Administrator control before downloading further components.
As Microsoft’s researchers point out, Morto needs no software exploit to perform its job, only weak passwords of the sort that plague even well-defended networks full of more devices that can sometimes be managed by the teams looking after them.
Morto appears to be designed to launch DDoS attacks - with potentially high bandwidth at their disposal, servers are highly prized for such an application albeit that they are harder to infect than mere PCs.
The malware does have one weakness in the way it attacks systems, namely that it attempts to close down a range of common antivirus programmes. Although this sounds like a good tactic, most of these are designed to resist such simple interference and attacking them in this way could just as easily bring Morto’s existence to the attention of a PC user.
Currently, Morto has only been detected on a few thousand systems in recent days, mostly those running Windows XP, but low-level attacks on high-value targets could be part of its modus operandi.
Microsoft defence advice for enterprise users will not come as a surprise: “We also encourage enterprise users in particular to enforce both strong passwords and regular password changes via policy.”