Last weekend, Microsoft’s Malware Protection Centre (MPCC) detected a new worm that exploits weak passwords to infect Windows workstations and servers.
Dubbed ‘Morto’ the worm is similar to Slammer or CodeRed from years back, but with a twist: The attack exploits Remote Desktop connections, giving it command-and-control to access the network through the infected machine. Once in, Morto connects to a remote server, updating its components and downloading further information. The worm can then terminate processes for local security applications as well as perform Denial of Service (DoS) attacks against specified targets.
Clearswift Chief Software Engineer Paul Singh says this is the first time we’ve seen an attack of this nature. “This is probably a proof of concept attack that has worked a bit better than the perpetrators expected,” he says. While the attack utilises RDP, the weak point is not remote desktop access over the internet; the initial “in” for Morto is most likely to come via an infected email or visiting an infected site, says Singh. “As such, using VPN as a defence mechanism isn’t relevant. Perimeter security that scans email and web traffic to prevent infections in the first place is important.”
Singh says that Morto highlights just how easy it is to crack the most commonly used passwords. Worse still, the worm exposes “How lazy some administrators are, as Morto is targeting the passwords for admin accounts.”
“Recent attacks on popular sites like Gawker, RockYou and PSN gave hackers access to passwords that can be used to increase the statistical probability of guessing admin passwords correctly,” says Singh. And while some might question the relevance of Gawker users’ choice of passwords to IT admins, the list of user account names and password combos Morto has tried includes some real eye-openers: admin, root, owner, 1234, 123, password and 123123...
According to Singh, the simple solution to attacks of this nature is to adopt a more robust, well-defined and enforced password policy in the workplace. This can include clear guidelines around password complexity and the setting of basic password requirements such as length, mixing upper-and-lower-case letters and numbers.
Singh adds that the worm was detected through the unusual levels of network traffic it creates on certain ports: RDP scans, downloads, receiving commands and DNS queries for command-and-control servers. “This highlights the need for IT departments to constantly and proactively examine log files for unusual activity,” he says.
You can read more about Morto here.
Pamela Weaver
No comments:
Post a Comment