Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

1999 Called, It Wants Its Morto Worm Back

August 29, 2011

  • Blog
  • Archive
I had to do a double take on my Google Alerts this weekend when I saw the first of discussions around a worm dubbed “Morto” infecting systems via weak password brute forcing of Windows accounts over the Remote Desktop Protocol (“RDP”). These automated worms take me back, to the old days of CodeRed, Slammer, Sasser, Blaster, etc… But at least most of those were actually leveraging a software vulnerability to exploit and gain control of a system. Morto on the other hand appears to simply attempt to compromise systems by trying ~30 common passwords for the Windows Administrator account over RDP. One would think that in 2011 such a basic attack would not have much legs but it seems that Anti-Virus companies and SANS are seeing an increase in RDP network traffic with the most likely culprit being that of Morto infecting systems via RDP Windows account brute forcing. The always on-point folks at Slashdot are correct in pointing out the sad truth; if there are companies in this day and age being compromised by Morto, we have bigger problems to worry about than the “APT” or Stuxnet. That’s cause this threat (and success) continues to highlight a mindset of reactive security that still dominates a big portion of the IT conscious. Most people working in IT are so busy trying to do more and more with less resources that even covering the basics sometimes is a challenge and at the end of the day most people in IT typically result to firefighting instead of doing the right things with security to prevent fires in the first place. There are so many reasons you should NOT be compromised by this silly “worm”. Let me highlight three: Reason 1. You should never allow RDP access directly from the Internet, without, at the very least, requiring VPN authentication, before gaining access to corporate servers remotely. This goes in line with something we constantly repeat on our monthly Vulnerability Expert Forum, “Attack Surface is everything.” Sales guys say “ABC, Always Be Closing”. Security guys says “ABM, Always Be Minimizing”, your attack surface that is. You need to always be minimizing your attack surface, and a great example of that is not allowing RDP to be probed by any joe hacker with a port scanner. Reason 2. You know better than to use weak passwords. This is one of those recommendations I have stopped saying because, well, if you haven’t figured this out by now…it’s probably too late. Luckily if people are using more modern versions of Windows OS Microsoft requires stronger passwords by default so you are not likely to fall victim to this threat. Thanks Redmond Reason 3. You're crafty. Like most Worms, this one works on known entities, which in this case means it only knows to probe for RDP on its default port. Not that I am a big believer in security by obscurity, it never hurts to throw off your run-of-the-mill attackers and worms by changing services to use non-standard ports. This can be done for RDP through a simple registry key change which makes it easy to standardize across your entire network if you so choose. And the list goes on… If you work in IT and look at a threat like this and are thinking “I hope my AV catches this malware” then you are looking at the world through a 90’s era lens. The reality is that to truly achieve good security in today’s world you need common sense and a good process and solution to identify and manage your network and system vulnerabilities and misconfigurations. I will spare you the sales pitch of how BeyondTrust’s solutions can easily help proactively prevent not just the specific threat of Morto but any variation of it and beyond. The heart of this all comes back to what type of IT environment you want to live in… one filled with constant fires, panic patching, and reactive clean-ups, or one of proactive identification and remediation of security vulnerabilities and misconfigurations that cut out the root cause of why computers are compromised. Malware is not the problem. I repeat, malware is not the problem. What is the problem? A world that continues to think “How do I identify and clean up X million pieces of malware?” vs. "How do I identify and properly manage system and user vulnerabilities that attackers are leveraging to plant malware on my systems in the first place?" I get that proactive security technologies are not sexy. But that silver bullet everyone is waiting for that will magically protect a system without IT having to make any effort to properly configure and remediate vulnerabilities, it is not coming, ever.
Photograph of Scott Lang

Scott Lang, Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts

Rising CISOs: Ransomware, Cyber Extortion, Cloud Compromise, oh my!

Whitepapers

A Zero Trust Approach to Windows & Mac Endpoint Security

Whitepapers

Mapping BeyondTrust Solutions to the Qatar National Information Assurance Policy v2.0

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.