A new worm called Morto has begun making the rounds on the Internet in the last couple of days, infecting machines via RDP (Remote Desktop Protocol). The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows.
Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003.
“In a new windows 2003 R2 server, I’m noticing every few minutes, svshost.exe [sic] is opening a ton of outgoing TCP 3389 connections. I ran an a/v scanner over it and it’s clean. Can it be hacked already??? has anyone seen this before?,” one user asked in Microsoft’s TechNet forum.
On Sunday, the SANS Internet Storm Center reported a huge spike in RDP scans in the last few days, as infected systems have been scanning networks and remote machines for open RDP services. One of the actions that the Morto worm takes once it’s on a new machine is that it scans the local network for other PCs and servers to infect.
“A few weeks ago a diary posted by Dr. J pointed out a spike in port3389 traffic. Since then the sources have spiked ten fold. This is a key indicator that there is an increase of infected hosts that are looking to exploit open RDP services.” SANS handler Kevin Shortt said in a blog post.
Researchers at F-Secure said that Morto is the forst Internet worm to use RDP as an infection vector. Once it’s on a new machine and has successfully found another PC to infect, it starts trying a long list of possible passwords for the RDP service.
“Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port,” F-Secure Chief Research Officer Mikko Hypponen said in a blog post.
“Once you are connected to a remote system, you can access the drives of that server via Windows shares like \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Monto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it. The infection will create several new files on the system including \windows\system32\sens32.dll and\windows\offline web pages\cache.txt. Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net.”
It’s been quite a while since there was a large-scale Internet worm attack. Once upon a time, worms such as Blaster, Code Red and SQL Slammer were all the rage and found success clogging networks with enormous amounts of scanning traffic and other activity. But those kinds of events have become an anachronism as attackers have turned the attention to for-profit attacks.