The Morto worm that began compromising machines via open RDP services this past weekend is continuing its work, going after workstations and servers and creating large amounts of network traffic from TCP port 3389.
The main attack vector that Morto uses is a large-scale scan for remote machines that have the RDP (Remote Desktop Protocol) exposed to the Internet. Once a target is identified, the worm then tries to brute-force the password on the machine using a list of simple passwords, including:
“Once a new system is compromised, it connects to a remote server in
order to download additional information and update its components. It
also terminates processes for locally running security applications in
order to ensure its activity continues uninterrupted. Affected users
should note that a reboot may be required in order to complete the
cleaning process,” Hil Gradasevic of the Microsoft Malware Protection Center wrote in an analysis of the Morto infection routine.
Morto also has the ability to launch a DoS attack against a selected target specified by the remote attacker.
The worm uses a simple trick for ensuring that it will remain resident on an infected machine and be able to download and run updated components: it creates a DLL called clb.dll in the Windows directory. That also is the name of a legitimate DLL that is housed in the System directory, but when it searches for a file, Windows will look in the Windows directory for it before it checks the System directory, Microsoft said in its description of the worm.
Morto is a fairly simplistic worm, as many other successful worms have been, simply compromising targeted PCs and servers, perhaps downloading a malicious file or two and then scanning for new machines to attack. Many of the large-scale worms from the last 10 years, including Blaster, Code Red and SQL Slammer, wreaked much of their havoc through the generation of huge amounts of network traffic that brought many networks to their knees.
Morto doesn’t appear to be having that kind of widespread effect, but it is sill causing trouble for affected organizations. Microsoft’s TechNet user community has a long list of posts on the Morto worm from admins and security people dealing with infections, and while initial indications were that Morto was infecting only Windows Server 2003 or XP machines, some posters say that they’ve seen infections on Windows 7 machines, as well.