BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

1999 Called, It Wants Its Morto Worm Back

Post by Marc Maiffret August 28, 2011

I had to do a double take on my Google Alerts this weekend when I saw the first of discussions around a worm dubbed “Morto” infecting systems via weak password brute forcing of Windows accounts over the Remote Desktop Protocol (“RDP”). These automated worms take me back, to the old days of CodeRed, Slammer, Sasser, Blaster, etc…

But at least most of those were actually leveraging a software vulnerability to exploit and gain control of a system. Morto on the other hand appears to simply attempt to compromise systems by trying ~30 common passwords for the Windows Administrator account over RDP.

One would think that in 2011 such a basic attack would not have much legs but it seems that Anti-Virus companies and SANS are seeing an increase in RDP network traffic with the most likely culprit being that of Morto infecting systems via RDP Windows account brute forcing.

The always on-point folks at Slashdot are correct in pointing out the sad truth; if there are companies in this day and age being compromised by Morto, we have bigger problems to worry about than the “APT” or Stuxnet. That’s cause this threat (and success) continues to highlight a mindset of reactive security that still dominates a big portion of the IT conscious. Most people working in IT are so busy trying to do more and more with less resources that even covering the basics sometimes is a challenge and at the end of the day most people in IT typically result to firefighting instead of doing the right things with security to prevent fires in the first place.

There are so many reasons you should NOT be compromised by this silly “worm”. Let me highlight three:

Reason 1. You should never allow RDP access directly from the Internet, without, at the very least, requiring VPN authentication, before gaining access to corporate servers remotely. This goes in line with something we constantly repeat on our monthly Vulnerability Expert Forum, “Attack Surface is everything.” Sales guys say “ABC, Always Be Closing”. Security guys says “ABM, Always Be Minimizing”, your attack surface that is. You need to always be minimizing your attack surface, and a great example of that is not allowing RDP to be probed by any joe hacker with a port scanner.

Reason 2. You know better than to use weak passwords. This is one of those recommendations I have stopped saying because, well, if you haven’t figured this out by now…it’s probably too late. Luckily if people are using more modern versions of Windows OS Microsoft requires stronger passwords by default so you are not likely to fall victim to this threat.  Thanks Redmond

Reason 3. You’re crafty. Like most Worms, this one works on known entities, which in this case means it only knows to probe for RDP on its default port. Not that I am a big believer in security by obscurity, it never hurts to throw off your run-of-the-mill attackers and worms by changing services to use non-standard ports. This can be done for RDP through a simple registry key change which makes it easy to standardize across your entire network if you so choose.

And the list goes on…

If you work in IT and look at a threat like this and are thinking “I hope my AV catches this malware” then you are looking at the world through a 90’s era lens. The reality is that to truly achieve good security in today’s world you need common sense and a good process and solution to identify and manage your network and system vulnerabilities and misconfigurations.

I will spare you the sales pitch of how eEye’s solutions can easily help proactively prevent not just the specific threat of Morto but any variation of it and beyond. The heart of this all comes back to what type of IT environment you want to live in… one filled with constant fires, panic patching, and reactive clean-ups, or one of proactive identification and remediation of security vulnerabilities and misconfigurations that cut out the root cause of why computers are compromised.

Malware is not the problem. I repeat, malware is not the problem. What is the problem? A world that continues to think “How do I identify and clean up X million pieces of malware?” vs. “How do I identify and properly manage system and user vulnerabilities that attackers are leveraging to plant malware on my systems in the first place?”

I get that proactive security technologies are not sexy. But that silver bullet everyone is waiting for that will magically protect a system without IT having to make any effort to properly configure and remediate vulnerabilities, it is not coming, ever.

Tags:
, ,

Leave a Reply

Additional articles

smart rules manager for vulnerabilities

Staying on Top of the Latest Vulnerabilities with BeyondInsight v5.1

It’s no secret that dozens of new OS and application vulnerabilities are revealed every day. Staying on top of these new exposures normally requires paying for services or subscribing to multiple RSS feeds. BeyondInsight 5.1 provides customers with another option: a built-in, customizable vulnerability alerting system that delivers up-to-date information on the latest vulnerabilities in…

Post by Morey Haber April 21, 2014
Tags:
, , , , , ,
BI-Qualys-Connector-IMG1

Getting More Value from QualysGuard Vulnerability Data with BeyondInsight v5.1

If your vulnerability assessment scans can’t produce meaningful and actionable reports, performing a scan does no good for anyone. If you’ve read my other blog posts, you know I have no qualms about stating that BeyondTrust provides the best vulnerability reporting in the industry. Ask your favorite analyst and they’ll tend to agree. Of course,…

Post by Morey Haber April 18, 2014
Tags:
, , , , , , , ,
insider-threat-fed

Mitigating Inside Threats to U.S. Federal IT Environments

Recent high-profile cases have increased the perceived risks that go along with disclosure and usage of confidential information. One of the most difficult security threats to mitigate is an attack from the inside. When an over-privileged user, such as an unhappy current or former employee, contractor, or consultant, begins navigating your network, how will you…

Post by BeyondTrust Software April 17, 2014
Tags:
, , , , ,