Morto worm attacks weak passwords

A Windows worm, which takes advantage of weak passwords, is taking out corporate networks, according to isecurity researchers

Dubbed “Morto” by Microsoft and F-Secure, the worm was spotted after network administrators noticed systems generating large numbers of unexplained connections to the Internet.

Writing in his bog , Hil Gradascevic, a researcher with the Microsoft Malware Protection Center said that the numbers of computers reporting detections is still low but the traffic it generates is noticeable.

Morto  uses Vole’s Remote Desktop Protocol, which controls one computer by connecting to it from another.

The Morto worm spreads by logging in to Remote Desktop servers using weak passwords like “abc123.”

XP seems to be the logical target. Windows 7 and Vista also require a user name to gain access.

Windows PCs infected with Morto scan the local network for other machines that have RDC switched on, then try to log in to a Remote Desktop server using a pre-set list of common passwords.

If one of the passwords works, the worm then downloads additional malware components to the just-victimised server and kills security software to remain hidden.

The scanning of targets generates significant traffic on TCP port 3389, which was how the malware was spotted.

Microsoft said that this particular worm highlights the importance of having decent passwords.

Morto’s goal in life might be to carry out denial-of-service attacks against hacker-designated targets, but Microsoft is not certain yet.