I wrote many posts on this blog about Conficker and this weekend when I heard about Morto (which means Dead in Portuguese) and how it works it was like a Deja-vu. Not because they are alike from the side effect perspective, but because both exploit weak password. Let’s look the way that they spread (according to Microsoft Malware Encyclopedia) on a side by side view:
They both take advantage of weak password, which is usually created by an user that wants something simple but really doesn’t know too much about security. This brings again the discussion that the user is the weakest point in your security chain and that if you don’t train him well he will make mistakes that can compromise your investment in technology. There are two things you can do: educate users with security awareness training and have policy enforcement for strong password in place. Here are some article that you want to read about strong password:
Another important point about Morto is that it tries to contact remote hosts as you can see below:
Screenshot taken on 8/29/2011 5:32PM CST from : http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Morto.A
This means that you should configure your edge device to avoid access to those remote destinations. If you use Forefront TMG, create rules to block access to those destinations from your internal workstations and keep reviewing the logs for suspicious activity.
For updates about Morto use the following resources:
210 . 3 . 38 . 820 ???
Thanks for point it out. MMP just updated the list and the screenshot now reflects this change.