NetFort Advertising

Three Lessons from the Morto Worm Outbreak

Morto Worm

What did we learn from the Morto Worm outbreak?

The NetFort Security NOC have identified some systems on our customer networks that are infected with the Morto worm. The worm targets systems that are running Remote Desktop Protocol.

You might think your systems are immune from infection from the Morto worm due to the fact that they are fully patched, however you would be wrong in making this assumption. Historically, malicious worms have targeted systems running software that contained some flaw in the system logic (for example, a buffer overflow). The Morto worm is different in that it targets systems that are vulnerable due to a poor configuration (a weak password).

Three Lessons from the Morto Worm:

  • Every account should have a strong password, typically with a minimum length of 16 characters, sufficient complexity.
  • If you must enable RDP access to a system on your network, ensure that the firewall rule enabling this access is specific to an IP address or at worst a particular subnet. Firewall rules should be continuously monitored and rules should be removed when they are no longer needed.
  • Monitor your network so that you can detect if hosts on the network are infected, and more importantly, so that you can identity how infected systems are coming on to your network.

The LANGuardian report set has been updated to include a report that will highlight systems scanning on RDP server port (3389). The built-in malware list on LANGuardian has also been updated with a list of host names associated with this worm.