{"id":1987,"date":"2011-09-28T11:05:18","date_gmt":"2011-09-28T05:35:18","guid":{"rendered":"https:\/\/www.qadit.com\/blog\/?p=1987"},"modified":"2011-10-03T11:08:29","modified_gmt":"2011-10-03T05:38:29","slug":"death-worm-phones-home-over-dns","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/death-worm-phones-home-over-dns\/","title":{"rendered":"Death worm phones home over DNS"},"content":{"rendered":"<p>A worm has been found attempting to hijack computers via the Remote Desktop Protocol (RDP) which is used commonly for technical support.<\/p>\n<p>&nbsp;<\/p>\n<p><!--more--><br \/>\nThe SANs Institute Internet Storm Centre has reported traffic over RDP had increased ten-fold which was a \u201ckey indicator that there is an increase of infected hosts that are looking to exploit open RDP services&#8221;.<br \/>\nThe worm, dubbed \u2018Morto or death\u2019, compromises Windows servers and workstations by scanning subnets for remote desktop connection and guessing administrator passwords such as \u201812345\u2019, \u2018server\u2019 and \u2018password\u2019.<\/p>\n<p>&nbsp;<\/p>\n<p><figure id=\"attachment_1975\" aria-describedby=\"caption-attachment-1975\" style=\"width: 300px\" class=\"wp-caption alignright\"><a href=\"https:\/\/www.qadit.com\/blog\/wp-content\/sans.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.qadit.com\/blog\/wp-content\/sans-300x250.jpg\" alt=\"Credit: SANS\" width=\"300\" height=\"250\" class=\"size-medium wp-image-1975\" srcset=\"https:\/\/qadit.com\/blog\/wp-content\/uploads\/sans-300x250.jpg 300w, https:\/\/qadit.com\/blog\/wp-content\/uploads\/sans.jpg 419w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><figcaption id=\"caption-attachment-1975\" class=\"wp-caption-text\">&quot;Credit: SANS&quot;<\/figcaption><\/figure><br \/>\n&nbsp;<\/p>\n<p>Microsoft has exclaimed that the worm could be used to launch denial of service attacks against targets nominated by command servers<\/p>\n<p>&nbsp;<\/p>\n<p>It attempts to terminate the popular anti-virus programs including Sophos, McAfee, Symantec and Clam AV.<br \/>\nUsers on a Microsoft Security Forum who noticed reams of outgoing 3389\/TCP traffic have reported that many anti-virus programs failed to detect the worm. Even the fully-patched systems were infected.<br \/>\nOnce a connection had been established, Morto copies dll files to a temporary drive labeled \u2018A\u2019.<br \/>\nThis contains an installer and a payload clb.dll file which executes in the Windows directory preferentially to the legitimate dll by the same name.<\/p>\n<p>&nbsp;<\/p>\n<p>The use of strong passwords by users, enabling firewalls and frequent Updation of software and anti-virus would be a threat for MORTO!<\/p>\n<p>&nbsp;<\/p>\n<p>The above is an extract from <a href=\"https:\/\/www.itnews.com.au\/News\/268438,internet-death-worm-found.aspx\">ITNews<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A worm has been found attempting to hijack computers via the Remote Desktop Protocol (RDP) which is used commonly for technical support. &nbsp;<\/p>\n","protected":false},"author":20,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[12],"tags":[209,200],"class_list":["post-1987","post","type-post","status-publish","format-standard","hentry","category-itsec","tag-deathworm","tag-virus"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-w3","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/1987","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=1987"}],"version-history":[{"count":0,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/1987\/revisions"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=1987"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=1987"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=1987"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}