News

Morto Worm Attempts To Guess Network Passwords

Microsoft is warning of a new worm that attempts to use Remote Desktop Protocol (RDP) connections from PCs to try to guess simple login and password information of users.

Nicknamed "Morto," the worm is uploaded to a PC when a user uploads a Windows DLL file. It then goes to work, looking for unsophisticated passwords and login credentials by trying a list of the thirty most often used passwords (for example, password, admin, 1111, etc.).

"Once a new system is compromised, it connects to a remote server in order to download additional information and update its components," wrote Microsoft's Hil Gradascevic in a TechNet blog. "It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted."

Security firm F-Secure, which was responsible for alerting Microsoft to this new threat, speculated that the worm's main functionality is to carry out a denial-of-service (DoS) attack against specified targets. The company also pointed out that this worm may be difficult to locate. "As it is the malicious DLL that gets loaded, the regedit command does not show any graphic user interface (GUI) as it normally does," said F-Secure, in a threat bulletin. "It decrypts and loads the encrypted payload saved at HKLM\System\Wpa\md registry value. This is when the payload takes control."

While Microsoft has labeled the alert level of this possible intrusion as "severe," as of Saturday, only a few thousand PCs had been infected by Morto, with 74 percent of recorded infections occurring on Windows XP machines.

The company is recommending users make sure that they use unique passwords that feature both numbers, letters and symbols -- the worm only has a limited amount of simple passwords it scans for.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

comments powered by Disqus

Reader Comments:

Fri, Sep 2, 2011 Roy Adar

I believe that with a few tweaks, this fairly simple brute-force approach can quickly resurface in more targeted attacks. In fact, this attack reminds me of the SQLsnake worm (aka SQLspida) that “brute-forced” its way into SQL Servers that had a blank “sa” password (the previous default password). It was extremely successful in spreading across tens of thousands of SQL Server databases where the default privileged password for “sa” was never changed from manufacturer defaults. One message these attacks reinforce is that if hackers can easily brute-force your privileged passwords, there is nothing to stop them from jumping from desktop, to applications, to your network core. Therefore a proactive approach to implementing internal controls and protecting privileged accounts is a critical building block in your enterprise IT defense strategy. Read more here: http://tinyurl.com/3s64qtj - Roy Adar, Vice President of Product Management, Cyber-Ark Software

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.