A worm has been found attempting to hijack computers via the Remote Desktop Protocol (RDP) which is used commonly for technical support.
The SANs Institute Internet Storm Centre has reported traffic over RDP had increased ten-fold which was a “key indicator that there is an increase of infected hosts that are looking to exploit open RDP services”.
The worm, dubbed ‘Morto or death’, compromises Windows servers and workstations by scanning subnets for remote desktop connection and guessing administrator passwords such as ‘12345’, ‘server’ and ‘password’.
Microsoft has exclaimed that the worm could be used to launch denial of service attacks against targets nominated by command servers
It attempts to terminate the popular anti-virus programs including Sophos, McAfee, Symantec and Clam AV.
Users on a Microsoft Security Forum who noticed reams of outgoing 3389/TCP traffic have reported that many anti-virus programs failed to detect the worm. Even the fully-patched systems were infected.
Once a connection had been established, Morto copies dll files to a temporary drive labeled ‘A’.
This contains an installer and a payload clb.dll file which executes in the Windows directory preferentially to the legitimate dll by the same name.
The use of strong passwords by users, enabling firewalls and frequent Updation of software and anti-virus would be a threat for MORTO!
The above is an extract from ITNews