Hurricane Labs has become aware of a new Internet worm, discovered by F-Secure, which is being referred to as “Morto“. The Morto RDP Worm is unique in that it uses MS-RDP (Remote Desktop Protocol) as its spreading vector. Once a host is infected, the Morto software is installed, and the local network is scanned for open RDP servers. Once an open server is found, a list of common passwords is tried for the Administrator login. Once a connection is made, Morto uses the remote drive access feature of RDP to copy files to the compromised system.

We highly recommend blocking RDP at your network edge, either your Internet routers or the Internet firewall. Any and all open RDP should be actively monitored for attacks, both bruteforce login attacks and protocol vulnerability attacks.

As a mitigation tactic, Hurricane Labs recommends adding a new rule to the Threat Management section of your firewall blocking inbound RDP traffic to all hosts where you don’t explicitly require it.

If you have any questions regarding Morto or its potential impact to your network, please feel free to put in a call to our support team at 216-923-1330 x2 or 888-276-4106 x2.

Thank you.

http://hlurl.com/8fx << F-Secure blog post
http://hlurl.com/8fw << Microsoft Technet forum thread
http://hlurl.com/8fy << The Register
http://hlurl.com/8fz << ISC Diary