'Morto' targets weak passwords, usernames and spreads via the Remote Desktop Protocol.
A retro worm attack is underway that takes the unusual spin of employing the Remote Desktop Protocol (RDP) in Windows' remote desktop connection feature as its attack vector.
Researchers from Microsoft, F-Secure, eEye Digital Security, and other organizations say the so-called Morto worm infects Windows workstations and Windows servers. It spreads by uploading a Windows DLL file to a targeted machine. The worm looks for weak administrator passwords in Remote Desktop on an organization's network--everything from "12345" to "admin" and "password."
Researchers say the attack could be used for various purposes, including distributed denial-of-service (DDoS) attacks against targeted organizations. "The remote control feature allows bot-like control of the infected machines and they can be used for basically any purpose," says Mikko Hypponen, chief research officer of F-Secure Lab.
Microsoft's Malware Protection Center (MMPC), which sounded the alarm about the worm over the weekend, on Friday added detection for Worm:Win32/Morto.A. The relative number of infections isn't as high as with other malware families, but the worm generates "noticeable" amounts of traffic, according to Microsoft.
As of Saturday, there were only a few thousand computers infected with Morto, according to Microsoft's data. That's in contrast to nearly 30,000 infected with the Sality family of malware, and more than 10,000 with IRCbot malware, according to Microsoft.
"Based on telemetry through the remainder of Sunday, August 28, we are continuing to see low detections in comparison to established malware families as mentioned in the MMPC blog," says Pete Voss, senior response communication manager for Microsoft Trustworthy Computing. "It's important to remember that this malware does not exploit a vulnerability in Remote Desktop Protocol, but instead relies on weak passwords ... We encourage people to use strong passwords to help protect their systems."
The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)
Published: 2017-05-08 unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).
Published: 2017-05-08 A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...
Published: 2017-05-08 Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.
Published: 2017-05-08 Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.