Morto Worm Spreads to Weak Systems
In the past few weeks, a worm dubbed “Morto” has been spreading on the Internet. Morto attempts to propagate itself to additional computers via the Remote Desktop Protocol (RDP). Morto spreads by having infected systems scan for servers allowing RDP login. Once Morto finds an RDP-accessible system, it attempts to log in to a domain or local system account named 'Administrator' using one of the following weak passwords; admin, password, server, test, user, pass, letmein, 1234qwer, 1q2w3e, 1qaz2wsx, aaa, abc123, abcd1234, admin123, 111, 123, 369, 1111, 12345, 111111, 123123, 123321, 123456, 654321, 666666, 888888, 1234567, 12345678, 123456789, 1234567890
Upon successful login, Morto uploads a payload to the victim computer using the filename 'a.dll.' When this payload is executed, the following files are created:
o C:\windows\offline web pages\cache.txt
Morto will also disable active Anti-Virus programs on the host machine. Infected systems will have a REG_BINARY value under HKEY_LOCAL_MACHINE\SYSTEM\Wpa named "md" created by the malware. The malware can be prevented from executing on the machine by deleting this value. Morto then attempts to find other systems to infect by scanning for other RDP servers on TCP port 3389.
Morto also has a botnet like functionality wherein the payload attempts to communicate with command and control servers within the following domain names:
Despite the fact that Morto can easily be avoided, it has still found success in spreading across many weakly protected systems on the internet. This infection can be deflected by simply using a strong password and by placing strict limitations on RDP access.