Over the weekend, Microsoft and F-secure issued warnings about a new global threat called “Morto”, and The Internet Storm Center has been seeing a large spike in traffic on Port 3389.
The spike looks to have been caused by the RDP (Remote Desktop) portion of the worm calling around looking for RDP connections. Once it finds one, it uses a small list of weak passwords and ..pwnage ensues.
Symantec detects this threat as W32.Morto and Security Response and will continue to perform deeper analysis throughout the next several days. So far, they have uncovered several dozen different MD5s that are all part of this same threat family.
Signs of Morto in your environment
As we learned with W32.Downadup: Brute force attacks + Small list of passwords = Account lockouts.
As with any media blitz its easy to hear hoofbeats and think whatever zebra is in the headlines. So be careful, because every account lockout issue is no longer indicative of W32.Downadup scenario. Also, this is going to get a lot of press, so be ready to answer questions from your boss, and freinds.
Detection information: RR definitions sequence: 126643 contain the initial detection as Backdoor.Trojan. RR definitions sequence: 126648 contains the renamed detection as W32.Morto Certified definitions: August 29, 2011 revision 002
Actions: Block known URLs (see Write-up) Use strong passwords
Additional reading:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2011-082908-4116-99
http://isc.sans.org/
http://threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811
http://www.f-secure.com/weblog/archives/00002227.html