Windows users warned about the Morto worm

Warnings have been made about the Morto worm that spreads via the Windows Remote Desktop Protocol (RDP).

According to detection by Symantec, this was discovered in late August and it affects all versions of Windows apart from Windows 7. While Symantec said that it had a low impact level and it was easy to remove, its damage level was ‘medium' as it replaces the '%System%\sens.dll' file with a copy of itself and attempts to end certain security processes.

According to NetFort, the worm has the power to consume excessive network bandwidth and carry out denial-of-service attacks. John Brosnan, CEO of NetFort, said: “Malicious worms historically targeted systems that were running software containing some flaw in the system logic, such as a buffer overflow. The Morto worm is different in that it targets systems that are vulnerable because of weak administrator passwords such as ‘letmein' or ‘password'.”

According to Marco Giuliani, threat research analyst at Webroot, the worm is currently confined thanks to the quick response of security vendors, but it was expecting something similar to the early days of Conficker's first appearance.

He said: “By analysing the nature of the worm, we know that many small- to medium-sized businesses could be affected by it, getting the internal network overloaded by endless RDP login attempts and slowing down the whole company network.

“Morto worm is quite interesting because it uses a new approach to communicate between the infected PC and the command and control (C&C) server. Morto contains a hard-coded list of domains in its body, which are the C&C servers.

“If you try to connect to Morto's C&C, you won't be redirected to any IP address, so you would think that the C&C has been disabled. Morto does something smarter: for each C&C domain name, it queries the TXT field, which is used by the attackers to store the commands that Morto receives from the C&C server.

“The commands are in an encrypted form, so Morto needs to decrypt it and execute the command. This could be downloading malware from another URL; Morto has been monitored to download additional backdoor code by using this method.”

Giuliani said that the common vectors are warez, crack and keygen websites, adult websites and exploit kits, and while it does not spread through USB removable media as Conficker did, this feature could be included in an update.

NetFort recommended three steps to prevent Morto from causing harm: enforce secure passwords; monitor your network so that you can detect if hosts are infected and identity how infected systems are coming on to your network; and, if you have to enable RDP access to a system on your network, ensure that the firewall rule enabling this access is specific to an IP address or a particular subnet.

Sign up to our newsletters