Various Internet security firms report a new Internet worm is spreading in the wild and taking advantage of weak passwords on Windows systems.
First reported Sunday, the Morto worm or Win32/Morto appears to be an old-school Internet worm, a rarity in recent years when Trojans and bots make up the majority of new malicious samples. Morto displays a mixture of sophistication and directness in its search for server prey.
According to multiple reports, Morto infects Windows workstations and servers, but spreads via the Windows Remote Desktop Protocol (RDP), an element of the Windows Remote Desktop Connection service that allows a Windows PC or server to be controlled remotely.
Once loading itself as a hard-to-detect service within the Windows svchost.exe, the malware opens a Remote Desktop Protocol (RDP) connection on port 3389, it cycles through IP addresses it detects on any subnets and tries to connect using a simple dictionary list of password possibilities.
Some of the passwords on its list include admin, admin123, user, test, *1234, letmein, password, server and 1234567890, according to an entry on Microsoft's Malware Protection Center (MMPC). Once the worm figures out the weak password, it connects to the remote system and copies itself. Several Morto variants have already been identified.
If the worm gets lucky and guesses a correct password on the server, it then copies itself to the victim system and tries to elevate its own process to gain Administrator control before downloading further components.
Microsoft confirmed the existence of the worm in a TechNet blog post Sunday, but it remains unclear which versions of Windows may be vulnerable and the extent to which it is spreading successfully.
In its post, Microsoft also advised the use of strong passwords, which should include 14 characters or more, and have a variety of letters, punctuations, symbols and numbers.
As Microsoft’s researchers point out, Morto needs no software exploit to perform its job, only weak passwords of the sort that plague even well-defended networks full of more devices that can easily be managed by the teams looking after them.
"This particular worm highlights the importance of setting strong system passwords," said Microsoft's Hil Gradascevic. "The ability of attackers to exploit weak passwords shouldn't be underestimated."
It is important to remember that this malware does not exploit a vulnerability, but instead relies on weak passwords. River Run encourages our readers to use strong passwords to help protect their systems. We also encourage users to enforce both strong passwords and regular password changes.