Morto Worm Attempts To Guess Network Passwords
Microsoft is warning of a new worm that attempts to use Remote Desktop Protocol (RDP) connections from PCs to try to guess simple login and password information of users.
Nicknamed "Morto," the worm is uploaded to a PC when a user uploads a Windows DLL file. It then goes to work, looking for unsophisticated passwords and login credentials by trying a list of the thirty most often used passwords (for example, password, admin, 1111, etc.).
"Once a new system is compromised, it connects to a remote server in order to download additional information and update its components," wrote Microsoft's Hil Gradascevic in a TechNet blog. "It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted."
Security firm F-Secure, which was responsible for alerting Microsoft to this new threat, speculated that the worm's main functionality is to carry out a denial-of-service (DoS) attack against specified targets. The company also pointed out that this worm may be difficult to locate. "As it is the malicious DLL that gets loaded, the regedit command does not show any graphic user interface (GUI) as it normally does," said F-Secure, in a threat bulletin. "It decrypts and loads the encrypted payload saved at HKLM\System\Wpa\md registry value. This is when the payload takes control."
While Microsoft has labeled the alert level of this possible intrusion as "severe," as of Saturday, only a few thousand PCs had been infected by Morto, with 74 percent of recorded infections occurring on Windows XP machines.
The company is recommending users make sure that they use unique passwords that feature both numbers, letters and symbols -- the worm only has a limited amount of simple passwords it scans for.