Windows Remote Desktop worm "Morto" spreading

[Jack]

We don't see that many internet worms these days. It's mostly just bots and trojans. But we just found a new internet worm, and it's spreading in the wild.

The worm is called Morto and it infects Windows workstations and servers. It uses a new spreading vector that we haven't seen before: RDP.

RDP stands for Remote Desktop Protocol. Windows has built-in support for this protocol via Windows Remote Desktop Connection. Once you enable a computer for remote use, you can use any other computer to access it.

When you connect to another computer with this tool, you can remotely use the computer, just like you'd use a local computer.

Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.

When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

 admin
 password
 server
 test
 user
 pass
 letmein
 1234qwer
 1q2w3e
 1qaz2wsx
 aaa
 abc123
 abcd1234
 admin123
 111
 123
 369
 1111
 12345
 111111
 123123
 123321
 123456
 654321
 666666
 888888
 1234567
 12345678
 123456789
 1234567890

Once you are connected to a remote system, you can access the drives of that server via Windows shares like \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Monto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it.

The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt

Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net

Read more.....

 

[jamescv7]

Yes, its relatively new worm. This is also need to be careful when using a remote desktop connection cause you might infected by an unknown connection.

 

[Deleted member 178]

interesting vector, im sure many networks will be infected by it.

 

[Jack]

interesting vector, im sure many networks will be infected by it.

It's really easy to prevent infection because this worm uses brute force ..
If you have a strong password their is no chance on earth you could be a victim of this worm.
What responsible network administrator uses this passwords ???The only one that is missing it's qwerty

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin123
111
123
369
1111
12345
111111
123123
123321
123456
654321
666666
888888
1234567
12345678
123456789
1234567890

 

[Deleted member 178]

What responsible network administrator uses this passwords ???The only one that is missing it's qwerty

unfortunately more than you can imagine...believe me...

 

[Jack]

Morto Likes Playing Games

W32.Morto first made headlines in August because of its capability to spread by Windows Remote Desktop Protocol (RDP). The worm was unique because it was the first of its kind to use the protocol. However, this wasn't the only unique aspect of the worm. My colleague, Cathal Mullaney, also discovered that W32.Morto introduced the usage of Domain Name System (DNS) records for communicating commands from the attacker to the worm. We have been monitoring W32.Morto and the commands it has been receiving from the DNS queries since its discovery; however, the downloaded files have not performed any meaningful activities during the three week period.

But now we are finally seeing a change in the updates. This latest update contains the same traits of the original W32.Morto such as storing encrypted data in the registry and using an identical obfuscation technique. However, it no longer has the RDP propagation mechanism built-in. It also does not perform DNS queries to receive commands. The most interesting activity that W32.Morto now performs is that it parsers through index pages of an online game site that lists the online status of server emulators of the popular Chinese MMORPG game, ZhuXian. A sample page is shown below. Server emulators are servers run by third parties to provide an arena different from the one provided by the original developer of the game. Once the initial parsing is complete, the worm requests the next page in the parse chain and searches for the Chinese text:

“Please answer the following question”

If this text is found, the worm attempts to search for a submission form on the page. This may be a technique to automatically circumvent Captchas and other anti-automation techniques.

(via Symantec)