BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

1999 Called, It Wants Its Morto Worm Back

Posted August 28, 2011    Marc Maiffret

I had to do a double take on my Google Alerts this weekend when I saw the first of discussions around a worm dubbed “Morto” infecting systems via weak password brute forcing of Windows accounts over the Remote Desktop Protocol (“RDP”). These automated worms take me back, to the old days of CodeRed, Slammer, Sasser, Blaster, etc…

But at least most of those were actually leveraging a software vulnerability to exploit and gain control of a system. Morto on the other hand appears to simply attempt to compromise systems by trying ~30 common passwords for the Windows Administrator account over RDP.

One would think that in 2011 such a basic attack would not have much legs but it seems that Anti-Virus companies and SANS are seeing an increase in RDP network traffic with the most likely culprit being that of Morto infecting systems via RDP Windows account brute forcing.

The always on-point folks at Slashdot are correct in pointing out the sad truth; if there are companies in this day and age being compromised by Morto, we have bigger problems to worry about than the “APT” or Stuxnet. That’s cause this threat (and success) continues to highlight a mindset of reactive security that still dominates a big portion of the IT conscious. Most people working in IT are so busy trying to do more and more with less resources that even covering the basics sometimes is a challenge and at the end of the day most people in IT typically result to firefighting instead of doing the right things with security to prevent fires in the first place.

There are so many reasons you should NOT be compromised by this silly “worm”. Let me highlight three:

Reason 1. You should never allow RDP access directly from the Internet, without, at the very least, requiring VPN authentication, before gaining access to corporate servers remotely. This goes in line with something we constantly repeat on our monthly Vulnerability Expert Forum, “Attack Surface is everything.” Sales guys say “ABC, Always Be Closing”. Security guys says “ABM, Always Be Minimizing”, your attack surface that is. You need to always be minimizing your attack surface, and a great example of that is not allowing RDP to be probed by any joe hacker with a port scanner.

Reason 2. You know better than to use weak passwords. This is one of those recommendations I have stopped saying because, well, if you haven’t figured this out by now…it’s probably too late. Luckily if people are using more modern versions of Windows OS Microsoft requires stronger passwords by default so you are not likely to fall victim to this threat.  Thanks Redmond

Reason 3. You’re crafty. Like most Worms, this one works on known entities, which in this case means it only knows to probe for RDP on its default port. Not that I am a big believer in security by obscurity, it never hurts to throw off your run-of-the-mill attackers and worms by changing services to use non-standard ports. This can be done for RDP through a simple registry key change which makes it easy to standardize across your entire network if you so choose.

And the list goes on…

If you work in IT and look at a threat like this and are thinking “I hope my AV catches this malware” then you are looking at the world through a 90’s era lens. The reality is that to truly achieve good security in today’s world you need common sense and a good process and solution to identify and manage your network and system vulnerabilities and misconfigurations.

I will spare you the sales pitch of how eEye’s solutions can easily help proactively prevent not just the specific threat of Morto but any variation of it and beyond. The heart of this all comes back to what type of IT environment you want to live in… one filled with constant fires, panic patching, and reactive clean-ups, or one of proactive identification and remediation of security vulnerabilities and misconfigurations that cut out the root cause of why computers are compromised.

Malware is not the problem. I repeat, malware is not the problem. What is the problem? A world that continues to think “How do I identify and clean up X million pieces of malware?” vs. “How do I identify and properly manage system and user vulnerabilities that attackers are leveraging to plant malware on my systems in the first place?”

I get that proactive security technologies are not sexy. But that silver bullet everyone is waiting for that will magically protect a system without IT having to make any effort to properly configure and remediate vulnerabilities, it is not coming, ever.

Tags:
, ,

Leave a Reply

Additional articles

PBPS-screenshot-blog aug2014

Failing the Security Basics: Backoff Point-of-Sale Malware

Posted August 22, 2014    Marc Maiffret

At the beginning of this month, US-CERT issued a security alert relating to a string of breaches that had been targeting Point of Sale (POS) systems. The alert details that attackers were leveraging brute forcing tools to target common remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Splashtop and LogMeIn among others….

Tags:
, , , , , ,

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,
darren-mar-elia

BeyondTrust Webcast: Darren Mar-Elia’s 4 Active Directory Change Scenarios to Track

Posted August 20, 2014    Chris Burd

In our latest webcast, we joined Darren Mar-Elia, CTO at SDM Software, to discuss best practices for Active Directory (AD) change management. Here are some key takeaways from the presentation, followed by a link to a full-length video of the presentation. Mar-Elia kicks things off with a critical insight: that the best AD change management…

Tags:
, , , , , , ,