Morto Worm Leaves Windows RDP At Risk
RDP stands for Remote Desktop Protocol, which uses TCP Port 3389 and enables users to control the desktop of the other computer, RDP's are mostly used in organizations and business environments. Recently a new worm named as Morto worm has became the cause behind the spike in traffic to TCP Port 3389 (Which is used by RDP) according to a report by Fsecure.
How Does The Morto Worm Work?
Morto worm works by starting infecting a single maching (with remote desktop), Once the single machine has been infected it then scans the network for other computers with remote desktop, In technical words scanning network for port 3389 enabled, Once it finds the target computer , it then try to connect with those Remote desktop computers by using the RDP default passwords, here is the list of the passwords which moto tries:
As you can see from the above password list, that Morto worm is using a very basic dictionary attack to compromise the remote desktops. The worm also creates several new files including dll and txt files. As reported by Fsecure:
The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt
Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net
We've seen several different samples. Some MD5 hashes include:
The worm could get more devivasting if brute forcing support is enabled, or a tool like Ncrack is integrated in to this worm, Ncrack is a very powerful RDP Cracker, but it's slow some times and will work on vulnerable machines only.
By now you might have figured out the solution of this problem by your self, If not, It's simple "Use Strong passwords".