Microsoft warns of new Windows Morto worm spreading via RDP

By | August 30, 2011

Microsoft is warning system admins to beef up their password security in light of a new Windows worm.

The worm, named Morto, was first detected over the weekend by F-Secure chief research officer Mikko Hyppönen. ?We don?t see that many internet worms these days,? explained Hyppönen in a blog post on Sunday. ?We just found a new internet worm, and it?s spreading in the wild.? The worm uses Microsoft?s Remote Desktop Protocol (RDP) to access remote machines. Morto starts scanning machines on local networks for machines that have RDP enabled over port 3389/TCP. Once the worm finds machines that have RDP enabled it attempts to access the machine using several different default admin usernames and passwords such as ?pass? and ?12345?.

Microsoft admitted that the worm was causing headaches for system administrators that have ?less than ideal? password policies. ?The number of computers reporting infections or infection attempts continues to remain quite low,? said Microsoft?s Matt McCormack. Microsoft?s Malware Protection Center has only detected a few thousand unique computers that report the issue. Consumer and corporate machines in 87 countries have been affected so far and 74% of infected machines are running Windows XP. ?It?s important to remember that this malware does not exploit a vulnerability in Remote Desktop Protocol, but instead relies on weak passwords,? explained McCormack. ?The role that passwords play in securing an organization?s network is often underestimated and overlooked. We encourage people to use strong passwords to help protect their systems.?

Leave a Reply