Morto is the only worm seen to date that exploits Microsoft’s remote desktop protocol (RDP), said a reverse engineering specialist.
The code does not exploit any specific vulnerability, but simply relies on people installing the worm and then uses a brute force password attack to gain access to systems, said Tomer Bitton, a reverse engineering specialist with Imperva.
This is the first time he has seen a worm like this, with such a sophisticated malware – even if the method of proliferation is not, Bitton said.
“Once again, we have an example highlighting the importance of good passwords. Blocking the spread of this worm relies on using a sophisticated password that isn’t on the worm’s dictionary list”, he said in his security posting, adding the 100-plus passwords in the malware’s dictionary include 111111, david, admin2, 123456 and rockyou.
Nearly two years after publishing the RockYou password list continues to see use by hackers in brute force password dictionaries, he said.
“One thing we determined from looking at the worm was origin. Looking at DNS information, the worm seems to have originated from China, Hong Kong and Australia,” he said.
After dumping the code from Morto using the MoonSols win32dd.exe utility, Bitton said RDP port 3389 with PID 1064 are one of the attack vectors used by the worm.
In addition, what is also notable about the malware, he said, is during the infection process Morto creates four new files on the infected system and then deletes itself.
This may be one of the reasons why the Morto worm, which appeared on the malware scene earlier this summer, has infected so many systems. Once executed, it attempts to propagate itself to additional computers via the RDP and spreads by forcing infected systems to scan for servers allowing an RDP login.
Once Morto finds an RDP-accessible system, it attempts to log in to a domain or local system account named Administrator using a number of common passwords.