1999 Called, It Wants Its Morto Worm Back
I had to do a double take on my Google Alerts this weekend when I saw the first of discussions around a worm dubbed “Morto” infecting systems via weak password brute forcing of Windows accounts over the Remote Desktop Protocol (“RDP”). These automated worms take me back, to the old days of CodeRed, Slammer, Sasser, Blaster, etc…
But at least most of those were actually leveraging a software vulnerability to exploit and gain control of a system. Morto on the other hand appears to simply attempt to compromise systems by trying ~30 common passwords for the Windows Administrator account over RDP.
One would think that in 2011 such a basic attack would not have much legs but it seems that Anti-Virus companies and SANS are seeing an increase in RDP network traffic with the most likely culprit being that of Morto infecting systems via RDP Windows account brute forcing.
The always on-point folks at Slashdot are correct in pointing out the sad truth; if there are companies in this day and age being compromised by Morto, we have bigger problems to worry about than the “APT” or Stuxnet. That’s cause this threat (and success) continues to highlight a mindset of reactive security that still dominates a big portion of the IT conscious. Most people working in IT are so busy trying to do more and more with less resources that even covering the basics sometimes is a challenge and at the end of the day most people in IT typically result to firefighting instead of doing the right things with security to prevent fires in the first place.
There are so many reasons you should NOT be compromised by this silly “worm”. Let me highlight three:
Reason 1. You should never allow RDP access directly from the Internet, without, at the very least, requiring VPN authentication, before gaining access to corporate servers remotely. This goes in line with something we constantly repeat on our monthly Vulnerability Expert Forum, “Attack Surface is everything.” Sales guys say “ABC, Always Be Closing”. Security guys says “ABM, Always Be Minimizing”, your attack surface that is. You need to always be minimizing your attack surface, and a great example of that is not allowing RDP to be probed by any joe hacker with a port scanner.
Reason 2. You know better than to use weak passwords. This is one of those recommendations I have stopped saying because, well, if you haven’t figured this out by now…it’s probably too late. Luckily if people are using more modern versions of Windows OS Microsoft requires stronger passwords by default so you are not likely to fall victim to this threat. Thanks Redmond
Reason 3. You’re crafty. Like most Worms, this one works on known entities, which in this case means it only knows to probe for RDP on its default port. Not that I am a big believer in security by obscurity, it never hurts to throw off your run-of-the-mill attackers and worms by changing services to use non-standard ports. This can be done for RDP through a simple registry key change which makes it easy to standardize across your entire network if you so choose.
And the list goes on…
If you work in IT and look at a threat like this and are thinking “I hope my AV catches this malware” then you are looking at the world through a 90’s era lens. The reality is that to truly achieve good security in today’s world you need common sense and a good process and solution to identify and manage your network and system vulnerabilities and misconfigurations.
I will spare you the sales pitch of how eEye’s solutions can easily help proactively prevent not just the specific threat of Morto but any variation of it and beyond. The heart of this all comes back to what type of IT environment you want to live in… one filled with constant fires, panic patching, and reactive clean-ups, or one of proactive identification and remediation of security vulnerabilities and misconfigurations that cut out the root cause of why computers are compromised.
Malware is not the problem. I repeat, malware is not the problem. What is the problem? A world that continues to think “How do I identify and clean up X million pieces of malware?” vs. “How do I identify and properly manage system and user vulnerabilities that attackers are leveraging to plant malware on my systems in the first place?”
I get that proactive security technologies are not sexy. But that silver bullet everyone is waiting for that will magically protect a system without IT having to make any effort to properly configure and remediate vulnerabilities, it is not coming, ever.