Morto, the worm, is now infecting machines via Remote Desktop Protocol (RDP).
The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising servers and workstations running Windows.
Users are reporting Morto is infecting machines completely patched and running clean installations of Windows Server 2003.
“In a new windows 2003 R2 server, I’m noticing every few minutes, svshost.exe [sic] is opening a ton of outgoing TCP 3389 connections. I ran an a/v scanner over it and it’s clean. Can it be hacked already??? has anyone seen this before?,” one user asked in Microsoft’s TechNet forum.
On Sunday, the SANS Internet Storm Center reported a spike in RDP scans in the last few days, as infected systems have been scanning networks and remote machines for open RDP services. One of the actions the Morto worm takes once it’s on a new machine is it scans the local network for other PCs and servers to infect.
“A few weeks ago a diary posted by Dr. J pointed out a spike in port 3389 traffic. Since then the sources have spiked ten fold. This is a key indicator that there is an increase of infected hosts that are looking to exploit open RDP services.” Said SANS handler Kevin Shortt.
Researchers at F-Secure said Morto is the first Internet worm to use RDP as an infection vector. Once it’s on a new machine and has successfully found another PC to infect, it starts trying a long list of possible passwords for the RDP service.
“Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port,” said F-Secure Chief Research Officer Mikko Hypponen.
“Once you are connected to a remote system, you can access the drives of that server via Windows shares like \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Morto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it,” he said. “The infection will create several new files on the system including \windows\system32\sens32.dll and \windows\offline web pages\cache.txt. Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net.”