RDP stands for Remote Desktop Protocol, which uses TCP Port 3389 and enables users to control the desktop of the other computer, RDP's are mostly used in organizations and business environments. Recently a new worm named as Morto worm has became the cause behind the spike in traffic to TCP Port 3389 (Which is used by RDP) according to a report by Fsecure.
How Does The Morto Worm Work?
Morto worm works by starting infecting a single maching (with remote desktop), Once the single machine has been infected it then scans the network for other computers with remote desktop, In technical words scanning network for port 3389 enabled, Once it finds the target computer , it then try to connect with those Remote desktop computers by using the RDP default passwords, here is the list of the passwords which moto tries:
*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user
As you can see from the above password list, that Morto worm is using a very basic dictionaryattack to compromise the remote desktops. The worm also creates several new files includingdll and txt files. As reported by Fsecure:
The infection will create several new files on the system including\windows\system32\sens32.dll and
\windows\offline web pages\cache.txt
Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net
We've seen several different samples. Some MD5 hashes include:
0c5728b3c22276719561049653c71b8414284844b9a5aaa680f6be466d71d95b
The worm could get more devivasting if brute forcing support is enabled, or a tool like Ncrack is integrated in to this worm, Ncrack is a very powerful RDP Cracker, but it's slow some times and will work on vulnerable machines only.
By now you might have figured out the solution of this problem by your self, If not, It's simple "Use Strong passwords".
0 comments