BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

1999 Called, It Wants Its Morto Worm Back

Posted August 28, 2011    Marc Maiffret

I had to do a double take on my Google Alerts this weekend when I saw the first of discussions around a worm dubbed “Morto” infecting systems via weak password brute forcing of Windows accounts over the Remote Desktop Protocol (“RDP”). These automated worms take me back, to the old days of CodeRed, Slammer, Sasser, Blaster, etc…

But at least most of those were actually leveraging a software vulnerability to exploit and gain control of a system. Morto on the other hand appears to simply attempt to compromise systems by trying ~30 common passwords for the Windows Administrator account over RDP.

One would think that in 2011 such a basic attack would not have much legs but it seems that Anti-Virus companies and SANS are seeing an increase in RDP network traffic with the most likely culprit being that of Morto infecting systems via RDP Windows account brute forcing.

The always on-point folks at Slashdot are correct in pointing out the sad truth; if there are companies in this day and age being compromised by Morto, we have bigger problems to worry about than the “APT” or Stuxnet. That’s cause this threat (and success) continues to highlight a mindset of reactive security that still dominates a big portion of the IT conscious. Most people working in IT are so busy trying to do more and more with less resources that even covering the basics sometimes is a challenge and at the end of the day most people in IT typically result to firefighting instead of doing the right things with security to prevent fires in the first place.

There are so many reasons you should NOT be compromised by this silly “worm”. Let me highlight three:

Reason 1. You should never allow RDP access directly from the Internet, without, at the very least, requiring VPN authentication, before gaining access to corporate servers remotely. This goes in line with something we constantly repeat on our monthly Vulnerability Expert Forum, “Attack Surface is everything.” Sales guys say “ABC, Always Be Closing”. Security guys says “ABM, Always Be Minimizing”, your attack surface that is. You need to always be minimizing your attack surface, and a great example of that is not allowing RDP to be probed by any joe hacker with a port scanner.

Reason 2. You know better than to use weak passwords. This is one of those recommendations I have stopped saying because, well, if you haven’t figured this out by now…it’s probably too late. Luckily if people are using more modern versions of Windows OS Microsoft requires stronger passwords by default so you are not likely to fall victim to this threat.  Thanks Redmond

Reason 3. You’re crafty. Like most Worms, this one works on known entities, which in this case means it only knows to probe for RDP on its default port. Not that I am a big believer in security by obscurity, it never hurts to throw off your run-of-the-mill attackers and worms by changing services to use non-standard ports. This can be done for RDP through a simple registry key change which makes it easy to standardize across your entire network if you so choose.

And the list goes on…

If you work in IT and look at a threat like this and are thinking “I hope my AV catches this malware” then you are looking at the world through a 90’s era lens. The reality is that to truly achieve good security in today’s world you need common sense and a good process and solution to identify and manage your network and system vulnerabilities and misconfigurations.

I will spare you the sales pitch of how eEye’s solutions can easily help proactively prevent not just the specific threat of Morto but any variation of it and beyond. The heart of this all comes back to what type of IT environment you want to live in… one filled with constant fires, panic patching, and reactive clean-ups, or one of proactive identification and remediation of security vulnerabilities and misconfigurations that cut out the root cause of why computers are compromised.

Malware is not the problem. I repeat, malware is not the problem. What is the problem? A world that continues to think “How do I identify and clean up X million pieces of malware?” vs. “How do I identify and properly manage system and user vulnerabilities that attackers are leveraging to plant malware on my systems in the first place?”

I get that proactive security technologies are not sexy. But that silver bullet everyone is waiting for that will magically protect a system without IT having to make any effort to properly configure and remediate vulnerabilities, it is not coming, ever.

Tags:
, ,

Leave a Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

Tags:
, , , , ,
dave-shackleford-headshot

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

Tags:
, ,
patch-tuesday

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…

Tags:
,