New Worm Circulates by RDP Brute Force
F-secure Security Researchers caution about a new computer worm "Morto" which tries to brute force connections over the Remote Desktop Protocol (RDP), as per the news by softpedia on August 29, 2011.
The worm "Morto" attacks Windows workstations and servers. RDP claimed that it uses a new spreading vector that was never seen before.
F-Secure is claiming that the worm is behind a spike in traffic on Port 3389/TCP. After it entered the network, the worm starts scanning for machines that have RDP enabled. When the potential targets are recognized, Morto finds a Remote Desktop server and then it attempts to login as Administrator using a list of hard-coded passwords.
According to F-Secure, after users are connected to a remote system, they can use the drives of that server via Windows shares like \\tsclient\c and \\tsclient\d for drives C: and D: respectively. Monto uses this feature in order to copy itself to the target system. It is done by creating a temporary drive under letter A: and copying a file called a.dll to it.
F-secure technology Chief Mikko Hypponen claimed that Amazon Web Services can be the most preferred target. He also said that let us hope that it won't be attacked, as per the reports by SC MAGAZINE on August 29, 2011.
SANS, which observed high growth in RDP scan traffic over the weekend, claims that the rise traffic is a "chief indicator" of a growing number of infected bots. Both Windows servers and workstations are susceptible.
Microsoft informed that the worm could be used to initiate denial of service attacks against targets selected by command servers.
F-Secure stated that the worm reports back to a command and control server by questioning many predefined domain names and IP addresses from where it can download other files.
Also, F-Secure indicate jaifir.com and qfsl.net as servers being used to remotely control the Monto worm.
Earlier, some people suspected that the worm might be misusing an RDP vulnerability patched earlier this month (MS11-065) to spread. But, that is not the case; instead, the flaw can only lead to denial of service, not arbitrary code execution.
According to the suggestions of security experts, users should use unique passwords, enable firewalls and update software and anti-virus programs.
Related article: New Zealand Releases Code To Reduce Spam
» SPAMfighter News - 07-09-2011