14 DAY TRIAL // Security researchers from F-Secure warn about a new computer worm which attempts to brute force connections over the Remote Desktop Protocol (RDP).
RDP was developed by Microsoft to allow the remote administration of computers via a graphical interface. The technology is present, with limitations in some cases, in all currently supported versions of Windows.
According to F-Secure researchers, once it infects a computer, the new Morto worm begins scanning for machines that accept connections on port 3389/TCP, default for RDP.
When potential targets are identified, the worm tries to login as Administrator using a list of hard-coded passwords. This can cause a spike in RPD traffic on networks.
If authentication is successful, Morto drops its components on the targeted computer including the files %windows%\temp\ntshrui.dll and \windows\offline web pages\cache.txt.
The worm reports back to a command and control server by querying several predefined domain names and IP addresses from where it can download other files.
The main functionality of Morto is to launch distributed denial-of-service (DDoS) attacks. It also kills processes that contain certain strings matching many popular security applications.
According to a scan on VirusTotal, 19 of the 44 antivirus engines used by the service currently detect the threat. Users are advised to disable RDP on computers that don't need it, or to set a strong password for the Administrator account if they decide to keep it enabled.
Some people initially suspected that the worm might be exploiting an RDP vulnerability patched earlier this month (MS11-065) to spread, however, that's not the case because that flaw can only result in denial of service, not arbitrary code execution.
Nevertheless, users should apply all available security patches for their operating system and should run an up-to-date antivirus program at all times.