As some of you might be aware, we've recently been seeing low levels of reports of Win32/Morto - a worm that causes headaches for users who may have less than ideal password policies - so we thought we'd look at this in more detail.

The number of computers reporting infections or infection attempts continues to remain quite low. In total, the MMPC has seen only a few thousand unique computers report this issue.  For an idea of how this kind of volume compares to other families, see the following chart that shows the volume of several families (Sality, IRCbot, and Morto) by unique computers last Sat. (Aug. 27, 2011).

 

 

This threat is reaching both consumer and corporate users alike in 87 country/regions so far.  At first, the majority of telemetry we received was from computers on older platforms, mostly Windows XP.  More recent telemetry shows that newer platforms are also seeing this worm:

 

 

We've also discovered that Morto attempts to compromise more than just the 'Administrator' account when trying to brute force RDP connections with its simple dictionary attack. Initially it tests the affected machine's Internet connectivity by attempting to connect to IP 74.125.71.104 (this is an IP owned by a legitimate corporation and is otherwise unrelated to the malware). If this attempt is not successful, it then cycles through IP addresses on the affected computer's subnet and attempts to connect to targeted hosts using the following usernames:

1
actuser
adm
admin
admin2
administrator
aspnet
backup
computer
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test2
test3
user
user1
user5 

It’s important to remember that this malware does not exploit a vulnerability in Remote Desktop Protocol, but instead relies on weak passwords (you can see the passwords used by Morto in our encyclopedia). If you haven't already, check if these usernames are being used in your environment and change the associated passwords to ones that are strong (and definitely not on the password list).  Even computers that have been cleaned of this threat can be easily reinfected if the passwords are not changed and the computer remains unprotected.

The role that passwords play in securing an organization's network is often underestimated and overlooked. Passwords provide a first line of defense against unauthorized access to your organization.

We encourage people to use strong passwords to help protect their systems. (You can even test the strength of your proposed password using our password checker.) We also encourage enterprise users in particular to enforce both strong passwords and regular password changes via policy.

Holly Stewart and Matt McCormack
MMPC Melbourne and Redmond