New Worm / Virus spreads via RDP!

I just read about this virus that uses RDP to spread itself. Not shocking but disturbing definitely. Let’s see how it works and how you can protect your machines.

According to F-secure this worm called ‘Morto’ uses RDP to spread itself and it is in the wild.  Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port. When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin123
111
123
369
1111
12345
111111
123123
123321
123456
654321
666666
888888
1234567
12345678
123456789
1234567890

Once you are connected to a remote system, you can access the drives of that server via Windows shares like \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Monto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it. The infection will create several new files on the system including \windows\system32\sens32.dll and  \windows\offline web pages\cache.txt.  Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net.

Actually we are in luck because the dictionary is very small. The worm author could even resort to more brute force style attacking as I have written about in the past: http://www.virtualizationadmin.com/articles-tutorials/terminal-services/security/brute-force-hacking-terminal-server-environments.html

So what can you do? The article I mentioned before has that information but considering that a work like this probably is built for consumer environments here is my quicklist:

• Rename administrator account
• Disable administrator
• Set an account lockout policy
• Set a VERY complex password (this worm might set a trend and bigger dictionaries might be included in other variants)
• Change the RDP port to something other than 3389
• Disable client drive mapping (although the worm could theoretically re-enable it or could use another means)

Can you imagine if this virus comes into an enterprise environment? It could then scan all machines for RDP. Unfortunately vmsprawl might have lead to the fact that there are dozens of machines on the network all with RDP enabled. I guess the good thing is that RDP is disabled by default and that in Windows 7 the administrator account is disabled by default.

Let’s hope this worm does not prove to be a popular one, so RDP does not become a common vector.

Thanks go to @RemkoWeijnen for the tip.

Here is Microsoft’s analysis: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A

See how the worm is spreading by looking at the increase in RDP (3389) port scans: https://isc.sans.edu/port.html?port=3389