Morto: RDP worm of death?

Filed Under: Malware, SophosLabs

Worm cracking passwords
Over the last few days we have seen some media buzz about a worm called Morto.

Morto is an old-fashioned internet worm, which targets Windows workstations and servers by exploiting poorly-chosen weak passwords to spread via Remote Desktop Protocol (RDP) connections (port 3389).

It's possible if you had a large number of infected computers within your local network, that the amount of traffic generated by the Morto worm might be so significant that it would effectively clog your system.

Although the Morto worm has received a lot of press attention we need to keep the threat in proportion. SophosLabs has received a very low number of reports of this worm being seen in the wild - other threats which are less exciting to the media are infecting considerably more computers.

Possible reasons for the low number of Morto reports may be that Sophos customers have chosen better passwords on their shares, or because Sophos products had detection relatively early on for this compared to some competitors. (See this VirusTotal report from 26 August 2011, for instance).

Sophos has actually had detection for the various components of the Morto worm as Troj/Agent-TEE, Troj/SvcLoad-A and Troj/SvcLoad-B since 5th August 2011.

However, due to the interest stirred up by media reports we are merging (and updating) our detection and are now protecting against the worm as Mal/Morto-A.

The worm attempts to spread to network shares using port 3389 (RDP), and tries to read and write to files in the remote folder \\tsclient\a\.

How is it possible for Morto to spread across your network? Well, Morto has in its armoury a library of commonly-used passwords. If your network relies upon poorly chosen passwords such as "password", or sequences of letters or repeated numbers then you could be at risk.

Therefore, it's not possible to emphasise enough the importance of using sensible passwords on your network.

Not just on the areas of your network that you don't want your users to traipse through, but also on the default network shares that are present on installations of commonly used operating systems.


Interestingly, the Morto worm has gone through several revisions. We discovered the strings "LVer1.23", "LVer1.25", "LVer1.33" and "LVer1.35" all followed by 'moto' indicating a development cycle in the construction of this worm.

Read our technical description of Mal/Morto-A.

, , , ,

You might like

One Response to Morto: RDP worm of death?

  1. EJH · 1209 days ago

    We saw this worm on our network just this morning. Odd that it got around our AV that supposedly has had it in its signatures since fall of 2011.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.