Morto worm spreading fast via RDP

By Richi Jennings (@richi ) - August 29, 2011.

A new and virulent worm, dubbed Morto, has raised its ugly head on the Internet. It's spreading quickly, through the Microsoft Windows Remote Desktop Protocol (RDP). Thought the days of worms such as Blaster and Code Red were long gone? Think again. In IT Blogwatch, bloggers get all nostalgic.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: A single-button game called CANABALT...

Dennis Fisher reports:

The worm is generating a large amount of outbound RDP traffic...is capable of compromising both servers and workstations...is infecting machines that are completely patched.

...

[There's been] a huge spike in RDP scans in the last few days, as infected systems have been scanning...for open RDP services. ... Once it's...found another PC to infect, it starts trying a long list of possible passwords for the RDP service.   
M0RE

    Richard Chirgwin adds:

Vulnerable machines get Morto copied to their local drives as a DLL, a.dll, which creates other files.

...

Since worms have become something of an anachronism...[you might be] asking the question “why bother?”   
M0RE

And F-Secure's Mikko Hypponen can spell "RDP":

RDP stands for Remote Desktop Protocol. ... Once you enable a computer for remote use, you can use any other computer to access it.

...

Once a machine gets infected, the Morto worm starts scanning...[which] creates a lot of traffic for port 3389/TCP...the RDP port.

...

The infection will create several new files...including \windows\system32\sens32.dll and

\windows\offline web pages\cache.txt.   
M0RE

  Meanwhile, Microsoft's Matt McCormack muddles through:

It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network. ... [It] consists of...an executable dropper...and a DLL component which performs the payload.

...

Worm:Win32/Morto.A connects to the following hosts in order to download additional information and update its components: 210.3.38.820 74.125.71.104 jifr.info jifr.co.cc jifr.co.be qfsl.net qfsl.co.cc qfsl.co.be

...

Morto may be ordered to perform Denial of Service attacks against attacker-specified targets.   
M0RE

  But this Anonymous Coward has been battling Morto for ten days already, and reports that there seems to be a zero-day RDP vulnerability:

1000s of connection attempts were nailing the firewall...and the arp caches of the network switches...I could see [them] turned into hubs...because the MAC tables couldn't keep up.

...

[One] machine had 63 malware programs on it. ... The infections are entirely not due to bad passwords...you can get randomly hit, with an exploit vector as well. ... [M]achines with passwords that were ludicrously complex were also getting infected.   
M0RE

   And Finally...
CANABALT: Outrun the demolition of your city with just one button
  
 
Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's the creator and main author of Computerworld's IT Blogwatch -- for which he has won American Society of Business Publication Editors and Jesse H. Neal awards on behalf of Computerworld. He also writes The Long View for IDG Enterprise. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: itbw@richij.com. You can also read Richi's full profile and disclosure of his industry affiliations.

Join the discussion
Be the first to comment on this article. Our Commenting Policies