Detecting worms on your network by focusing on network scans

I am just back from my annual family vacation, and this year we went to Kerry in Southern Ireland. We got lucky with the weather and had a wonderful time. Highlights for me were swimming in the Atlantic on most days and visiting Tom Creans, South Pole Inn. Tom was a famous Antarctic explorer and his is a story that never ceases to amaze me.

I am currently catching up on things and one thing that stands out is the recent discovery of the Morto worm. Over on IT Blogwatch, Richi Jennings has further information on how the Morto worm has been spreading fast. Just like most worms on computer networks, the behavior of Morto can be broken down as follows.

  1. One or more systems are infected by users accessing compromised websites, downloading malware, opening infected email attachments or using storage media containing malware. In some networks a worm can be introduced by users bringing their own devices to work.
  2. The infected system will start scanning the network looking for other systems to infect. Network scanning is where a single host attempts to make connections to other systems on a specific port number. In the case of Morto, this was TCP port 3389 which is used by the Microsoft Windows Remote Desktop Protocol (RDP). If it finds a host listening on this port it then tries a long list of passwords to try and gain access to the system.
  3. Infected machines will then try and connect to external websites and download updates.

You should always make sure that systems on your network are always running the latest patches and updates, have up-to-date antivirus software and run a local firewall. In parallel to this, you should be watching out for any systems scanning your network. This can be easy to setup, you just need to locate your network core and start monitoring network activity via port mirroring or using flow data. Any system that is trying to establish connections to many other systems should be taken off the network and checked.

If you can port mirror your Internet connection before it hits your firewall, you should also check what external clients are scanning for on your network. Most of this should be blocked by your firewall, however it can be useful to check this periodically so that you are aware of what is been searched for.

Finally, if you use port mirroring instead of flow data to monitor your network core, you should also check the traffic for attempts to access specific websites associated with the worm outbreak. This type of monitoring can also help identify other zombie hosts on your network.   


Darragh Delaney is head of technical services at NetFort Technologies.  As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service.

Copyright © 2011 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon