Got a weak password? Beware of Mr. Morto.
- By Chris Paoli
- Aug 31, 2011
Users of Microsoft's Remote Desktop Protocol might want to make sure they have strong passowrd in place. The company is warning of a new worm that attempts to use RDP connections, which give users a look into another PC, to try to guess simple login and password information of users.
Nicknamed "Morto," the worm is uploaded to a PC when a user uploads a Windows DLL file. It then goes to work, looking for unsophisticated passwords and login credentials by trying a list of the thirty most often used passwords (for example, password, admin, 1111, etc.).
A number of recent studies, along with password files exposed by hackers, have shown that weak password combinations are all too common.
One more reason why passwords are no darn good
Gawker hack: Another glimpse into password practices
"Once a new system is compromised, [Morto] connects to a remote server in order to download additional information and update its components," wrote Microsoft's Hil Gradascevic in a TechNet blog. "It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted."
Security firm F-Secure, which was responsible for alerting Microsoft to the new threat, speculated that the worm's main functionality is to carry out a denial-of-service attack against specified targets. The company also pointed out that the worm could be difficult to locate. "As it is the malicious DLL that gets loaded, the regedit command does not show any graphic user interface (GUI) as it normally does," F-Secure said in a threat bulletin. "It decrypts and loads the encrypted payload saved at HKLM\System\Wpa\md registry value. This is when the payload takes control."
While Microsoft has labeled the alert level of this possible intrusion as "severe," as of Saturday, only a few thousand PCs had been infected by Morto, with 74 percent of recorded infections occurring on Windows XP machines.
The company is recommending users make sure that they use unique passwords that feature both numbers, letters and symbols -- the worm only has a limited amount of simple passwords it scans for.
Chris Paoli is the associate Web editor for 1105 Enterprise Computing Group's Web sites, including Redmondmag.com, RCPmag.com, ADTmag.com and VirtualizationReview.com.