By Richi Jennings
) - August 29, 2011. A new and virulent worm, dubbed Morto, has raised its ugly head on the Internet. It's spreading quickly, through the Microsoft Windows Remote Desktop Protocol (RDP). Thought the days of worms such as Blaster and Code Red were long gone? Think again. In IT Blogwatch, bloggers get all nostalgic.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: A single-button game called CANABALT... Dennis Fisher reports:
The worm is generating a large amount of outbound RDP traffic...is capable of compromising both servers and workstations...is infecting machines that are completely patched. Richard Chirgwin adds:
[There's been] a huge spike in RDP scans in the last few days, as infected systems have been scanning...for open RDP services. ... Once it's...found another PC to infect, it starts trying a long list of possible passwords for the RDP service.
Vulnerable machines get Morto copied to their local drives as a DLL, a.dll, which creates other files. And F-Secure's Mikko Hypponen can spell "RDP":
Since worms have become something of an anachronism...[you might be] asking the question why bother?
RDP stands for Remote Desktop Protocol. ... Once you enable a computer for remote use, you can use any other computer to access it. Meanwhile, Microsoft's Matt McCormack muddles through:
Once a machine gets infected, the Morto worm starts scanning...[which] creates a lot of traffic for port 3389/TCP...the RDP port.
The infection will create several new files...including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt.
It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network. ... [It] consists of...an executable dropper...and a DLL component which performs the payload. But this Anonymous Coward has been battling Morto for ten days already, and reports that there seems to be a zero-day RDP vulnerability:
Worm:Win32/Morto.A connects to the following hosts in order to download additional information and update its components: 22.214.171.1240 126.96.36.199 jifr.info jifr.co.cc jifr.co.be qfsl.net qfsl.co.cc qfsl.co.be
Morto may be ordered to perform Denial of Service attacks against attacker-specified targets.
1000s of connection attempts were nailing the firewall...and the arp caches of the network switches...I could see [them] turned into hubs...because the MAC tables couldn't keep up. And Finally...
[One] machine had 63 malware programs on it. ... The infections are entirely not due to bad passwords...you can get randomly hit, with an exploit vector as well. ... [M]achines with passwords that were ludicrously complex were also getting infected.
CANABALT: Outrun the demolition of your city with just one button
Don't miss out on IT Blogwatch:
Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's the creator and main author of Computerworld's IT Blogwatch -- for which he has won American Society of Business Publication Editors and Jesse H. Neal awards on behalf of Computerworld. He also writes The Long View for IDG Enterprise. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: email@example.com. You can also read Richi's full profile and disclosure of his industry affiliations.