A daily digest of IT news, curated from blogs, forums and news sites around the web each morning. We highlight the key commentary and demystify the real story.
A new and virulent worm, dubbed Morto, has raised its ugly head on the Internet. It's spreading quickly, through the Microsoft Windows Remote Desktop Protocol (RDP). Thought the days of worms such as Blaster and Code Red were long gone? Think again. In IT Blogwatch, bloggers get all nostalgic.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: A single-button game called CANABALT...
Dennis Fisher reports:
The worm is generating a large amount of outbound RDP traffic...is capable of compromising both servers and workstations...is infecting machines that are completely patched.
...
[There's been] a huge spike in RDP scans in the last few days, as infected systems have been scanning...for open RDP services. ... Once it's...found another PC to infect, it starts trying a long list of possible passwords for the RDP service.
Richard Chirgwin adds:
Vulnerable machines get Morto copied to their local drives as a DLL, a.dll, which creates other files.
...
Since worms have become something of an anachronism...[you might be] asking the question why bother?
And F-Secure's Mikko Hypponen can spell "RDP":
RDP stands for Remote Desktop Protocol. ... Once you enable a computer for remote use, you can use any other computer to access it.
...
Once a machine gets infected, the Morto worm starts scanning...[which] creates a lot of traffic for port 3389/TCP...the RDP port.
...
The infection will create several new files...including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt.
Meanwhile, Microsoft's Matt McCormack muddles through:
It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network. ... [It] consists of...an executable dropper...and a DLL component which performs the payload.
...
Worm:Win32/Morto.A connects to the following hosts in order to download additional information and update its components: 210.3.38.820 74.125.71.104 jifr.info jifr.co.cc jifr.co.be qfsl.net qfsl.co.cc qfsl.co.be
...
Morto may be ordered to perform Denial of Service attacks against attacker-specified targets.
But this Anonymous Coward has been battling Morto for ten days already, and reports that there seems to be a zero-day RDP vulnerability:
1000s of connection attempts were nailing the firewall...and the arp caches of the network switches...I could see [them] turned into hubs...because the MAC tables couldn't keep up.
...
[One] machine had 63 malware programs on it. ... The infections are entirely not due to bad passwords...you can get randomly hit, with an exploit vector as well. ... [M]achines with passwords that were ludicrously complex were also getting infected.
