When the insidious ‘Morto Worm’ threats data security…

  • Team Omega
  • October 26, 2011

The Morto Worm very recently became the first worm to use a list of common ids and passwords to gain remote desktop access to Windows systems via the Windows remote desktop protocol (RDP) in order to spread itself. As soon as it gains access to a single system on your network, it replaces system components on that system to further propagate itself to other systems. 

Once installed it can be commanded by attackers to perform many different types of attacks including “Denial of Service” attacks on your own or other’s systems. The Morto worm is capable of shutting down a long list of service processes to prevent its detection. Some of those same service processes are also likely to be critical to your day-to-day business applications and operations. Even worse, Morto also deletes the System, Security, and Application Windows event logs on that system to help cover its tracks.

What should you do?

  1. Be sure and disable remote desktop  access on externally facing systems.  At most, remote desktop access (provided via the Windows Remote Desktop Protocol, RDP) should only be made available on internal systems and  to LAN users or users already authenticated via VPN access.  If you must keep remote desktop access available to your users on some of your systems, then be sure that ONLY your Windows accounts that require remote desktop access to systems are enabled for it, and not all Windows accounts. 
  2. Assure that password strength required for  your Windows accounts is adequate to protect those systems from dictionary attacks (attacks using commonly used accounts and passwords) like those employed by the Morto Worm. 
  3. Seriously consider using security compliance tools that help automate the shutdown of remote desktop access,  scan for existence of malicious software and remove it, enforce account password strength, and gather critical event logs into a common and protected place away from the system they originated from.