New Worm Morto Using RDP to Infect Windows PCs

A new worm called Morto has begun making the rounds on the Internet in the last couple of days, infecting machines via RDP (Remote Desktop Protocol). The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows.

A new worm called Morto has begun making the rounds on the Internet in the last couple of days, infecting machines via RDP (Remote Desktop Protocol). The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows.

Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003.

“In a new windows 2003 R2 server, I’m noticing every few minutes,
svshost.exe [sic] is opening a ton of outgoing TCP 3389 connections.  I ran an
a/v scanner over it and it’s clean.  Can it be hacked already???  has
anyone seen this before?,” one user asked in Microsoft’s TechNet forum.

On Sunday, the SANS Internet Storm Center reported a huge spike in RDP scans in the last few days, as infected systems have been scanning networks and remote machines for open RDP services. One of the actions that the Morto worm takes once it’s on a new machine is that it scans the local network for other PCs and servers to infect.

“A few weeks ago a diary posted by Dr. J pointed out a spike in port 3389 traffic. 
Since then the sources have spiked ten fold.  This is a key indicator
that there is an increase of infected hosts that are looking to exploit
open RDP services.” SANS handler Kevin Shortt said in a blog post.

Researchers at F-Secure said that Morto is the forst Internet worm to use RDP as an infection vector. Once it’s on a new machine and has successfully found another PC to infect, it starts trying a long list of possible passwords for the RDP service.

Once a machine gets infected, the Morto worm
starts scanning the local network for machines that have Remote Desktop
Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port,” F-Secure Chief Research Officer Mikko Hypponen said in a blog post.

Once you are connected to a remote system, you can access the drives of that server via Windows shares like tsclientc and tsclientd for drives C: and D:,
respectively. Monto uses this feature to copy itself to the target
machine. It does this by creating a temporary drive under letter A: and
copying a file called a.dll to it. The infection will create several new files on the system including windowssystem32sens32.dll and windowsoffline web pagescache.txt. Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net.”

It’s been quite a while since there was a
large-scale Internet worm attack. Once upon a time, worms such as
Blaster, Code Red and SQL Slammer were all the rage and found success
clogging networks with enormous amounts of scanning traffic and other
activity. But those kinds of events have become an anachronism as
attackers have turned the attention to for-profit attacks.

Suggested articles

Discussion

  • Anonymous on

    \tsclientc d etc are the connecting CLIENT not the server...

  • Anonymous on

     

     

    "Once it's on a new machine and has successfully found another PC to infect, it starts trying a long list of possible passwords for the RDP service."

    So brute force password guessing is the only infection method?

    There is no serious flaw in the M$ RDP server we need to know about?

    Sounds as if picking passwords like: "$Tr{}||GP@$$^^()rd" and not "strongpassword" will protect your server from this worm.

  • Anonymous on

    Obvious vector is obvious:  Weak passwords are weak.

  • Anonymous on

    Obvious vector is obvious:  Weak passwords are weak.

  • Anonymous on

    Anyone using MOAC will have an issue getting in.. I'm a student and I have this problem...

  • Anonymous on

    How about a link that would actually be usefull to the average readers, Like a link to remove the infection.. 

  • Anonymous on

    Wow, everything old is new again.

    An old fashioned brute force attack against networking protocols.

    I expect M$FT will blame the users as usual, rather than admit that they, yet again, left services on that didn't need to be on.

    2001: IIS Internet Printing

    2011: RDP

    So, Scott Charney: how're you doing on making things more secure by design? Maybe you need to quit trying to get an Obama cabinet position and actually do your damn job.

    Idiot.

  • Anonymous on

    True. U have to enable RDP. The chain is never stronger than the weakest link...

  • Anonymous on

    Also so many sys admins leave RDP TCP port 3389 opened on the Internet, usually get a static public IP address and NAT on the router, with out restricting who can connect to it. I blame 50 - 50 M$ and lazy sys admins.

  • Anonymous on

    Change the listening port here

    HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminalServerWinStationsRDP-TcpPortNumber

    and notify your customers.


  • Anonymous on

    There's nothing wrong with forwarding port 3389 AS LONG AS YOU HAVE A SECURE PASSWORD. What a bunch of morons. Have secure passwords and be done with it. We learnt this eons ago.

  • Anonymous on

    @jonny

    Perhaps there is some confusion.

    RDP is installed by default, but is not enabled until you actually go to your system properties and select "Allow remote connections..."

    And you're right, nobody would really waste that much time or anger...

  • Anonymous on

    @jonny

    Perhaps there is some confusion.

    RDP is installed by default, but is not enabled until you actually go to your system properties and select "Allow remote connections..."

    And you're right, nobody would really waste that much time or anger...

  • Onlooker on

    Firewall  settings  under  category  exceptions  on  a  Desktop  invariably  being  overlooked  or  ignored  by  a  lazy  and  lousy  Sys. Admin.  and  not  turning  OFF  even  these  exceptions  on their Laptops/Notebooks, during  their " otherwise " busy travel schedules  would  certainly  enable Other Connections  to  gain  access to their  machines .So whom to blame  The User  OR  the  Developer who constantly  strives  to  update  his  design  for  a  safe  upkeep  of  the  System ?

  • Anonymous on

    Wow. RDP is installed by default but 1. not listening for connections and 2. not open in the windows firewall. Turning it on enables both of these.

    MS has nothing to do with your server admin using "123456789" as a password.

  • NSSi on

    @johnny

    You wrote a lot of text for someone who's wrong and further insulting. RDP access is not allowed by default on a 'genuine Windows XP install', period. 

    You wrote a long, erroneous rant. 

    This post is concerning a brute force cracking attempt by a virus against an option that must be enabled by the user. An out of the box Windows XP installation cannot be compromised. 

  • Cécile on

    hello everyone,

    I don't know nothing about what you're talking about, just trying to protect my PCs.

    So from what i understood (which is not much), if I am infected, there should be a a.dll file somewhere in my PC ?

    If I can't find it, then I am safe ? ( I did not find any)

    I know this may sound stupid to you but well....I am not a computer person. I am just looking for an easy way to check if I have this problem. If you can also tell me where I should look to check if the remote desktop control is off on Vista, that would be just great.

     

    Thanks a lot for your understanding and help

     

     

  • Magnus on

    @NSSi

    One thing that I believe that everyone should understand, when you buy a PC or notepook from Lenovoe, HP del ...etc that is not an out of the box installation and it does in fact have RDP enabled.  If you stick the XP or Win 7 DVD / CD into a brand new PC or Notebook that doesnt have an OS installed on it, RDP is not enabled.  I think that is a big concern as well as a lazy sysadmin that doesnt enforce or use strong passwords

  • Anonymous on

    @Jonny - You must be a physician because they are the only people I know arrogant enough to bring their "God Complex" into an IT technical forum. 140 installs? Really? Is that supposed to be impressive? Go to school for a few years, build yourself an IT lab and practice crashing it and bringing it back to the point of crash in an hour or two at least 140 times and then come back and teach your "grandparents" how to suck eggs...

  • Anonymous on

    New Virus Spreading! It infects your computer when you share your SYSTEM directory with everyone group! lol@thisvirus and shame on any admin whose systems get infected.

    Now My only worry is that it is smart enough to use cached AD credentials and use them against other machines in a domain? My systems wont be brute forced but if a day0 IE crack gets root on a machine and installs this, is it smart enough to propagate throught RDP to machines?

    Sounds like another tool for building a more destructive threat.

  • Silence262 on

    In a completely clean Windows XP installation, Remote Assistance (which uses the RDP protocol) is enabled by default. Remote Desktop is not.

    I have done somewhat more than the required 140 installations of Windows XP.

     

    Silence

    "Knowledge, sir, should be free to all." - Harry Mudd

  • Anonymous on

    What is a RDP?  Is it a computer?  I have an Apple.

  • Anonymous on

    This is really nothing new...there have been tools to do this for years. Thor made one of the first, someone just made a good password file.

    OMG teh skY is FAlling!!11!

  • Darrin on

    I noticed this brute force attack last week. I just closed the port to save the resources. My password is strong so I had no worries there but many don't have strong passwords. Perhaps this will be a lesson to the lazy admins out there.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.