New Worm 'Morto' Infect Windows PCs Using RDP Discovered

A new worm called "Morto" infecting machines via RDP (Remote Desktop Protocol) has begun making the rounds on the Internet in the last couple of days.The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows, reports […]

A new worm called "Morto" infecting machines via RDP (Remote Desktop Protocol) has begun making the rounds on the Internet in the last couple of days.

The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows, reports threat post.

On Sunday, the SANS Internet Storm Center reported a huge spike in RDP scans in the last few days, as infected systems have been scanning networks and remote machines for open RDP services. One of the actions that the Morto worm takes once it's on a new machine is that it scans the local network for other PCs and servers to infect.

Researchers at F-Secure said that Morto is the forst Internet worm to use RDP as an infection vector. Once it's on a new machine and has successfully found another PC to infect, it starts trying a long list of possible passwords for the RDP service.

"Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port," F-Secure Chief Research Officer Mikko Hypponen said in a blog post.

"Once you are connected to a remote system, you can access the drives of that server via Windows shares like \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Monto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it. The infection will create several new files on the system including \windows\system32\sens32.dll and \windows\offline web pages\cache.txt. Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net."

Microsoft acknowledged and in a MMPC blog post Microsoft said that the worm is detected as Worm:Win32/Morto.A and you can see a detailed description of it at Worm:Win32/Morto.A.

"This particular worm highlights the importance of setting strong system passwords. Using strong passwords can go a long way towards protecting your environment -- and the ability of attackers to exploit weak passwords shouldn't be underestimated," MMPC said.

For more advice on creating (and remembering) strong passwords, visit Safety and Security Center.