Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Worm Morto Using RDP To Infect Windows PCs

timothy posted about 3 years ago | from the my-heart-goes-out-to-you dept.

Security 200

Trailrunner7 writes "A new worm called Morto has begun making the rounds on the Internet, infecting machines via Remote Desktop Protocol. The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows. Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003."

cancel ×

200 comments

Sorry! There are no comments related to the filter you selected.

Finally (2)

jhoegl (638955) | about 3 years ago | (#37234952)

A lot of IT uses RDP to access servers remotely. Terminal Services is also used heavily by companies.

So I was wondering when someone would find and then use an exploit against them. It was only a matter of time :(.

The good news is the damage may be minimal as it seems to only effect 2k3 R2 servers, at least that is what is reported. It may be all of 2k3 or all 2k3/2k8.

Re:Finally (5, Informative)

jhoegl (638955) | about 3 years ago | (#37234984)

Hmmmm, after reading the article, I do not see any actual exploit being used and it is required that the server or account that was seemingly brute forced (only possible way) is required to have some GPO allowances such as root C or D drive access, the execute permissions on that drive.

Re:Finally (3, Informative)

jhoegl (638955) | about 3 years ago | (#37235010)

Yup, brute force... From a post in the linked thread

And in my current knowledge, if you get infected, it means you have way too EASY PASSWORD.- Meitzi

Re:Finally (3, Informative)

jhoegl (638955) | about 3 years ago | (#37235030)

Re:Finally (5, Interesting)

jhoegl (638955) | about 3 years ago | (#37235052)

Finally finally... LOL

If you get hacked, you deserve it.

Compromising Remote Desktop connections on a network: Port 3389 (RDP)
Worm:Win32/Morto.A cycles through IP addresses on the affected computer's subnet and attempts to connect to located systems as administrator using passwords from the following list:

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

Re:Finally (0)

Anonymous Coward | about 3 years ago | (#37235118)

Yes! They'll never guess my secret...wordpass!

Re:Finally (1)

Zumbs (1241138) | about 3 years ago | (#37235358)

or even better ... drowssap!

Re:Finally (1)

jayhawk88 (160512) | about 3 years ago | (#37235234)

Lol, I love it.

666666
888888

No....not 777777. They'll be expecting that.

Come on, it's Two Thousand Fucking Eleven. We still have people setting local admin passwords to "admin" and 123?

Re:Finally (1)

KiloByte (825081) | about 3 years ago | (#37235528)

We still have people setting local admin passwords to "admin" and 123?

There's more of them than those with reasonable passwords. I'm not counting those with medium strength [xkcd.com] in either group.

Seriously, "common sense" is not so common nowadays. And from what I see, the quality of passwords is actually going down.

Re:Finally (1)

Runaway1956 (1322357) | about 3 years ago | (#37236164)

If we haven't wiped ourselves out by the year 10,000, there will still be people using passwords like that. Even the equivalent to today's "security experts" will be caught now and then with idiotic passwords.

We claim to be intelligent, but sometimes the evidence makes that lie.

Re:Finally (1)

Lumpy (12016) | about 3 years ago | (#37236460)

It's just a silent commentary as to the quality of MCSE's thrown into a server administration role.

Most guys that are worth their salt demand silly salaries like $60,000-$90,000US a year instead of the new ITT grad that will accept $35,000 a year.

Again, you get what you pay for. and companies pay for 666666 as a server password.

Re:Finally (1)

DNS-and-BIND (461968) | about 3 years ago | (#37235456)

The worm actually tries the password 12345? Windows admins use this password to log in to their servers remotely? Somebody must, otherwise the worm wouldn't spread. That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Re:Finally (1)

Anonymous Coward | about 3 years ago | (#37235632)

This story is taking too long. Prepare to Fast Forward!

Re:Finally (1)

Inda (580031) | about 3 years ago | (#37235838)

Seems a strangely short list.

No "god"? No "love"?

Why not 100 or 1000 common passwords?

Re:Finally (0)

Anonymous Coward | about 3 years ago | (#37236286)

Yeah, glaringly absent are iloveyou, thx1138, qwerty, zxcvbn, asdfghjkl, master, hunter1...

Re:Finally (1)

X0563511 (793323) | about 3 years ago | (#37236370)

Seems to be working, which is both depressing and scary.

Re:Finally (1)

rtb61 (674572) | about 3 years ago | (#37236444)

Logic has it that you could use more than one configuration of worm. In fact you could use thousands all with different combinations of passwords. You take the assumption that a very lazy tech company will grab one worm, do an analysis and stop there, leaving many many potential other victims out there thinking they are safe.

Still such a short list seems pointless unless of course relying on a particular tech companies laziness and willingness to blame users for everything, to mass market a false sense of security and simply blame admins who used passwords from that very short list leaving tens of thousands of other popular passwords available for exploitation (so short on purpose).

Obligatory (0)

Anonymous Coward | about 3 years ago | (#37236072)

"So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!"

Re:Finally (5, Informative)

Anonymous Coward | about 3 years ago | (#37235982)

This is not the complete list of what happens.

I battled this since August 18th, and had identified all the command/control IPs and domains and submitted them to MS--and also identified the files for them and sent them in a zip.

MS initially had us run a boot disk and multiple scanners and found nothing. I had even asked for some advice on how to properly mitigate network usage *from the server* as the 1000s of connection attempts were nailing the firewall (which was now blocking all outbound 3389 attempts as well) and the arp caches of the network switches--doing a packet sniff, I could see the network gear turned into hubs from switches because the MAC tables couldn't keep up.

I also had a user get kicked off their machine by a service account that hadn't existed before the virus hit. That machine had 63 malware programs on it--not cookies, but exes and dlls.

The infections are entirely not due to bad passwords. Once infected it goes out and uses that simple list. You know there are places that have these passwords. Simply having 3389 open is bad, as you can get randomly hit, with an exploit vector as well. Newly installed machines with passwords that were ludicrously complex were also getting infected. The virus also will check out your local network subnet and blast that and similar networks--if you are on 10.10.10.0, it will also blast 10.10.9.0 and 10.10.11.0, for example.

Anyway there had to be three or four revisions of this patch before it was posted about here. It came out late Friday night, soon after we sent the files. MS only really started taking us seriously (it seemed) when other customers started reporting the same thing. The virus could be manually cleaned but it didn't fix the infection, so you could clean a machine and get it reinfected. The signatures should help prevent further issues, but expect a new critical update patching the actual problem in addition to this cleaning it.
 

Re:Finally (1)

MightyMartian (840721) | about 3 years ago | (#37236086)

I'm just bloody glad I shut down all external access to RDP. For a few years I was opening up RDP for some users who worked from home, but after seeing someone trying hundreds of times to get in to RDP via an Eastern European IP address I finally closed it down and require anyone wanting to use RDP to do it via our VPN.

Re:Finally (2)

Lumpy (12016) | about 3 years ago | (#37236486)

You should also already have DROP rules for all IP addresses coming from outside countries you dont have workers in already.

We dont have any asian, eastern or russian workers so I block all those countrues in the firewall. it reduces risk and traffic significantly.

I also have the firewall add a 24 hour drop rule for any IP address that attempts a connection and gets a rejection more than 5 times to a port in 20 minutes.

Passwords are your second line of defense, your firewall is your first.

Re:Finally (1)

KingMotley (944240) | about 3 years ago | (#37236118)

Simply having 3389 open isn't inheritly bad. It's when you allow retarded admins who allow access to that port through the internet and use ridiculously simple passwords on accounts that are given remote login rights AND are exempt from the bad password lockouts.

Re:Finally (-1)

Anonymous Coward | about 3 years ago | (#37235032)

It can also come from an improperly configured Cisco Router.

This site got hacked and it includes instructions on how to get rid of it [funnelchair.com] .

Re:Finally (1)

maxwells_deamon (221474) | about 3 years ago | (#37235160)

Warning: Parent contains NSFW link
  and not worth looking at anyway

Re:Finally (1)

Billly Gates (198444) | about 3 years ago | (#37235538)

That happened to be the most disgusting troll link I have ever seen on slashdot. I couldn't watch the whole thing without gagging in my mouth.

I thought goatse.cx and http://www.clownsong.com/ [clownsong.com] were bad, but that is thee WORST

Re:Finally (1)

John Hasler (414242) | about 3 years ago | (#37235034)

How many Windows boxes do not have way too easy a password?

Re:Finally (1)

aztracker1 (702135) | about 3 years ago | (#37236378)

Mine... more than one word, l33tified with non letter-number.

Re:Finally (1)

datapharmer (1099455) | about 3 years ago | (#37235314)

actually once you have rdp access privilege escalation is pretty trivial as you can access the command line regardless of local and group policies by exploiting a flaw in how command line switches are handled.

Re:Finally (1)

louarnkoz (805588) | about 3 years ago | (#37235472)

Microsoft's analysis is published at: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A [microsoft.com]

The list of password that the worm tries is interesting. Apart from the obvious abc123 and the like, the worm tries "RavMonD" and "zhudongfangyu". Is that a clue? Some Chinese hommage to the bazar?

Re:Finally (2)

bwintx (813768) | about 3 years ago | (#37235568)

TFA article lists "RavMonD" and "zhudongfangyu" as processes the worm tries to stop, not as passwords it attempts.

Terminates processes
Morto.A terminates processes that contain the following strings. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.

Re:Finally (1)

bwintx (813768) | about 3 years ago | (#37236324)

"TFA article" being akin to "ATM machine," of course. Sorry.

Poor Passswords are the problem (3, Informative)

Anonymous Coward | about 3 years ago | (#37234986)

Read about Morto and says it spreads by trying common passwords such as the following:
When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

  admin
  password
  server
  test
  user
  pass
  letmein
  1234qwer
  1q2w3e
  1qaz2wsx
  aaa
  abc123
  abcd1234
  admin123
  111
  123
  369
  1111
  12345
  111111
  123123
  123321
  123456
  654321
  666666
  888888
  1234567
  12345678
  123456789
  1234567890

Re:Poor Passswords are the problem (1)

sakura the mc (795726) | about 3 years ago | (#37235126)

how about removing the "Administrator" account and change the RDP port?

someone told me many years ago to be paranoid because the internet is "insecure as living fuck."

Re:Poor Passswords are the problem (1)

jhoegl (638955) | about 3 years ago | (#37235180)

Why move the port? Port scanners will find it anyways, and it only causes problems for the end users.

That "Someone" does not understand how hacks/cracks/attack vectors works, does not stay up on current security trends, or knows how to handle a password policy.

Re:Poor Passswords are the problem (4, Informative)

DarkOx (621550) | about 3 years ago | (#37235402)

I generally agree that moving well know services to alternate ports is a waste of time at best and a headache at worst, for most services.

Port scanners should not be effective tools in a high security environment though. You should have and IDS that can detect a scan, even if its a coordinated scan from multiple hosts. That IDS should be able to shun those hosts. There is no reason why in 2011 you can't make it prohibitively difficult for the vast majority of would be attackers to run a port scan against your hosts. In which there may be value in moving hi-value targets like administrative interfaces to lesser know ports, generally legitimate people using those interfaces won't be terribly inconvenienced.

Will the guy commanding a 10K machine botnet spread over thousands of networks still be able to scan you and find whatever, certainly yes. If your common threat model really includes that guy though you really operating in a different reality than most of us; for the rest snort, iptables and some shell scripts, or {pick commercial vendor solution} here goes a long way.

In 1997 and unprotected host was not good enough anymore, you needed a firewall
In 2000 you needed a stateful firewall
In 2005 you needed a application layer firewall
Its 2011 you need IDS / IPS
The arms race continues....

Re:Poor Passswords are the problem (2)

Lumpy (12016) | about 3 years ago | (#37236532)

"There is no reason why in 2011 you can't make it prohibitively difficult for the vast majority of would be attackers to run a port scan against your hosts"

Yes there is. Competent Network people and up to date networking hardware to do this cost money. Executives would rather continue to run on the out of date Nokia Firewalls they bought in 2003 and hire employees who are happy to get $25,000 to $35,000 instead of having a budget that is realistic and pay-scales that attract competent employees.

THIS is the reason that in 2011 you cant have in place mechanisms that difficult for an attacker to gain a foothold in your company.

Re:Poor Passswords are the problem (1)

Onymous Coward (97719) | about 3 years ago | (#37235420)

Moving ports protects against worms.

That "someone" may have better said "the Internet is full of threat". My blocked ports log says there's an unauthorized attempt every 2 and a half minutes. That's not counting attacks on 25, 53, and 80.

My system is plenty secure, but I guess you could refer the the net at large as "insecure as living fuck".

Re:Poor Passswords are the problem (1)

lucifuge31337 (529072) | about 3 years ago | (#37235184)

how about removing the "Administrator" account and change the RDP port?

Who leaves services like this exposed to the Internet in the first place? Do you people not have VPNs?

Re:Poor Passswords are the problem (1)

magamiako1 (1026318) | about 3 years ago | (#37235272)

A lot of people leave these services open, particularly for managed IT for small businesses (small practices, etc.)

RDP itself is encrypted with RC4 by default, and gets AES if you use FIPS mode.

Re:Poor Passswords are the problem (1)

lucifuge31337 (529072) | about 3 years ago | (#37235292)

I guess I've been working on real network for too many years. Even the with the small businesses I've done side work for, nothing like this is exposed. It's simply too cheap to do it the proper way, and to expensive not to.

Re:Poor Passswords are the problem (1)

magamiako1 (1026318) | about 3 years ago | (#37235410)

I've known a ton of small businesses that leave RDP exposed. Many leave VNC exposed as well (which can be even more dangerous if you don't understand encryption and authentication).

I've argued with people on IRC that leave entire POS systems exposed via VNC to the internet.

It's deplorable, but fairly common. And there's nothing particularly wrong with leaving it exposed if you configure it properly. A VPN provides more peace of mind, of course, since you get all the benefits that come with private keys, etc. Not to mention you can encrypt your channel with AES versus RC4 (in FIPS mode you get 3DES).

Re:Poor Passswords are the problem (0)

lucifuge31337 (529072) | about 3 years ago | (#37235506)

And there's nothing particularly wrong with leaving it exposed if you configure it properly.

Other than the history of RDP-vector exploits and giving someone basically unfettered access via the Internet to try to brute force your windows box. Sorry, but I've been in this business before RDP existed, so I've been around for it's entire history. It's not a service to be left open to the Internet on critical infrastructure. But those who don't have the perspective are often doomed to have to figure things out for themselves the hard way.

Re:Poor Passswords are the problem (1)

magamiako1 (1026318) | about 3 years ago | (#37235584)

Again, re-read a previous post of mine:

Account Lockout policies. Same difference using "fail2ban" with SSH that so many people use to "secure" their linux boxes.

What we're down to isn't an argument against RDP, we're arguing over password vs key-based authentication and data integrity.

Re:Poor Passswords are the problem (1)

ninetyninebottles (2174630) | about 3 years ago | (#37235784)

Good security relies upon a layered defense so no one factor, even a weak password, can compromise your system. A prudent administrator has an IDS looking at and blocking propagation traffic based upon a normal use signature for their network, and has strong passwords, and has a VPN and has firewalls in between network segments. A good OS has services off by default and a silent mode to prevent port scanning and a sandbox around such a likely service with a history of exploits and strongly tested code for the service in the first place to prevent privilege escalation even if there were no sandbox and scanning on the server to identify known malware signatures.

Layered security, because relying on any one layer in our current climate is absurd.

Re:Poor Passswords are the problem (1)

datapharmer (1099455) | about 3 years ago | (#37235344)

Yes, we people have VPNs, but you know all those small business whose IT staff is "the guy who knows some stuff about computers" and gets stuck "managing the server"? Well, those business don't have VPNs, are rarely patched and are the cause for those shenanigans. For companies who are unwilling to pay for the time it takes to properly clean up the mess they have and install proper protections a port change and administrator username change is the "better than nothing" approach. While yes, it is "security through obscurity" the reality of the world is that we don't live in a paradise where every small business is willing to listen to their IT consultants or willing to shell out the money to do things properly. For those cheap companies we do this at minimum to help protect the rest of the world from their ignorance.

Re:Poor Passswords are the problem (0)

Anonymous Coward | about 3 years ago | (#37235594)

Talking outside of a company context, with Windows it's usually the case that most people don't know the service exist and it's on by default.

Re:Poor Passswords are the problem (1)

fast turtle (1118037) | about 3 years ago | (#37236432)

and that's the biggest problem with using Windows. To much shit running w/o rhyme/reason or even a decent explantion why.

you can't fully remove the Administrator account (1)

Joe_Dragon (2206452) | about 3 years ago | (#37235312)

you can't fully remove the Administrator account and you can't change the RID.

Re:you can't fully remove the Administrator accoun (1)

spooky ghost (70606) | about 3 years ago | (#37235418)

But you can use a gpo to rename the local administrator account across your domain or rename it on single machines via lusrmgr.

Re:you can't fully remove the Administrator accoun (0)

Anonymous Coward | about 3 years ago | (#37236372)

Maybe you can't, but I still imagine it would be pretty effective to firewall and IP-ban any packet that attempted to log in to the administrator account, though...

Re:Poor Passswords are the problem (0)

Anonymous Coward | about 3 years ago | (#37235148)

You left out pencil.

Shut up, bigmouth! (0)

Anonymous Coward | about 3 years ago | (#37235566)

Nothing wrong with "pencil"!

name of the worm ?? (0)

Anonymous Coward | about 3 years ago | (#37234990)

morto:italian for dead is it a coincidence ?

A non-issue for people who use strong passwords (4, Informative)

mkraft (200694) | about 3 years ago | (#37235016)

From what I've read [f-secure.com] , the worm isn't using an exploit. It's simply trying to log in using a set of common and easy to guess passwords. If you use strong passwords, then your machine won't be compromised. Though flood of RDP access requests could amount to a denial of service attach.

...or that hate default ports... (4, Informative)

FlavorDave (109495) | about 3 years ago | (#37235074)

Since RDP is a necessary evil for administering remote windows PCs at least change the fracking port...

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

Re:...or that hate default ports... (1)

Culture20 (968837) | about 3 years ago | (#37235112)

And use an auto-lockout system or auto-firewall (if one exists) like fail2ban. Windows log parsing and firewall can be scripted, but I don't know if anyone's bothered.

gpedit.msc &/or secpol.msc can do that (0)

Anonymous Coward | about 3 years ago | (#37235174)

As well as the native firewall in Windows - there's TONS of settings regarding RDP &/or Terminal Server services in gpedit.msc + secpol.msc where you can set rights to WHO can use RDP or Terminal Server services, as well as when/where/why/how etc. (I also liked FlavorDave's suggestion on port # switching via registry hack too).

APK

Re:...or that hate default ports... (1)

rubycodez (864176) | about 3 years ago | (#37235208)

nonsense, RDP (and most other tcp services) can be quickly scanned and identified on ANY port

Re:...or that hate default ports... (3, Insightful)

0123456 (636235) | about 3 years ago | (#37235296)

nonsense, RDP (and most other tcp services) can be quickly scanned and identified on ANY port

Of course if you're serious about security then a port-scan would be logged and blocked. They'd need to compromise multiple machines or scan at a very slow rate in order to be able to get past such a firewall.

Re:...or that hate default ports... (1)

KiloByte (825081) | about 3 years ago | (#37235548)

The whole point of a worm is that they have multiple machines.

Re:...or that hate default ports... (1, Informative)

0123456 (636235) | about 3 years ago | (#37235740)

The whole point of a worm is that they have multiple machines.

Not on my internal network.

And if you have RDP open to the Internet you're so retarded there's no saving you.

Re:...or that hate default ports... (1)

datapharmer (1099455) | about 3 years ago | (#37235414)

Would you rather have 1000 bots attacking a server or 900? Obviously in a perfect world we would cut it down to 0, but eliminating scripted attacks on poorly secured servers is better than doing nothing.

Re:...or that hate default ports... (1)

Aqualung812 (959532) | about 3 years ago | (#37236054)

You're correct, but most worms don't try to scan every port. They need to quickly find their next target, and scanning for one port is much quicker than for over 65,000 of them.

Also, remember they're looking for total dumbasses that put things like "admin" as their password. Pretty sure that people that run RDP on port 6384 don't have trivial passwords.

Re:...or that hate default ports... (1)

bloodhawk (813939) | about 3 years ago | (#37236360)

Why would any competent admin be allowing port scans to hit their servers? They invented this cool thing a little while ago called a firewall.

extreme paranoia (1)

Onymous Coward (97719) | about 3 years ago | (#37235306)

Good idea. I agree. I switch ports for things, too. Helps to avoid worms. But...

Scanned at 2011-08-28 11:37:25 PDT for 54s
PORT STATE SERVICE VERSION
3390/tcp open microsoft-rdp Microsoft Terminal Service

It's still possible to see where your RDP port is. So a dedicated attacker or a port-scanning worm (I'd be amused to see one of those) uncovers your hide.

What about adding port knocking?

Re:...or that hate default ports... (1)

Nemyst (1383049) | about 3 years ago | (#37235362)

I wanted to do that so I could remote to my home PC from university... The firewall there blocks all ports except 3389 and a few others like 21 or 80.

Security impeding security, wee!

Re:...or that hate default ports... (1)

omglolbah (731566) | about 3 years ago | (#37235450)

Set up SSH, you can do port tunneling that way.

I have port 443 on my server set up to accept SSH, that way I can get through 99% of 'work' type firewalls and get to my stuff :)

Re:...or that hate default ports... (0)

Anonymous Coward | about 3 years ago | (#37235642)

or use something like Teamviewer... it's basically a free version of gotomypc.

Re:...or that hate default ports... (0)

Anonymous Coward | about 3 years ago | (#37235428)

How about not opening your anus to the Internet? There are numerous systems, many open source that provide strong cryptographic authentication and encryption.

Yes you can change the port. You could however use port knocking coupled with that cryptographic system and knock on a port using the key fingerprint and based off a calculated value of the fingerprint open another port for the communication to take place on.

None of this is trivial. None of it's hard. It's just tedious, like a 15,000 piece puzzle with 2mm pieces.

Re:...or that hate default ports... (1)

sgt scrub (869860) | about 3 years ago | (#37235830)

If someone uses 12345 for the password do you really think they would have the slightest clue as to what your post means? You need to spell it out for them using baby talk. 1) double clicky on the....

Do you do that with SSH too? (1)

Sycraft-fu (314770) | about 3 years ago | (#37235874)

Or instead do you just use strong passwords?

That is what the issue with this worm is: Weak passwords. Go read the MS doc and see just how weak I'm talking about: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A [microsoft.com] .

This kind of shit affects SSH as well. We periodically whack IPs in China that beat on our SSH servers. They try the same password list over and over, they aren't sophisticated, just looking for weakly passworded stuff.

The answer isn't to move the port. The answer is to have a good password.

Re:...or that hate default ports... (1)

tokul (682258) | about 3 years ago | (#37236136)

change the fracking port...

Security through obscurity does not work.

Re:...or that hate default ports... (1)

bloodhawk (813939) | about 3 years ago | (#37236414)

change the fracking port...

Security through obscurity does not work.

that actually is a fallacy. When it comes to worms and virus's security through obscurity does help, malware attacks the common denominator, if 1 million people run a service on port 1234 and 10 run it on some other random port you can bet your last dollar that the vast majority of attacks will focus port 1234, No you aren't blocking a targetted attacks, just making going half a rung higher on the ladder so that someone actually has to put some basic thought into an attack against you.

That is indeed what it does (1)

Sycraft-fu (314770) | about 3 years ago | (#37235974)

Someone else linked to the MS info on it: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A [microsoft.com] and it just goes and trys weak passwords... EXTREMELY weak passwords. Also looks like Vista/7 2008/2008R2 are default secure since it trys against "administrator" which is not an account you can actually log in as if UAC is on.

So as long as your password isn't monkey-fuck retardedly easy, should be a non-issue. If it is this weak, well then you really need to get a better password policy, and not because of this worm just in general.

None the less I expect this worm to own tons of systems because people fail at passwords. Story time:

Back in 1999 I worked as a student for network operations on campus. They wanted to migrate their small domain from NT4 to 2000 and the guy in charge decided to just do a clean reinstall/redo. He knew his shit and there wouldn't be many user facing issues except for account recreation. While some users would have no problems, the non-technical ones would whine and cry. He reasoned (correctly) that those kind of people would have weaker passwords so he grabbed the SAM file and had me load it on one of our powerful systems to crack. Since it had LM hashes stored (required for Windows 9x which was in use), cracking alphanumeric passwords could be done inside a week.

The result was much worse than we thought. At least half of the non-technical people had the password of "changeit", the password that had been handed out as a default password, which you were supposed to change. So it ended up being a big issue because he had the new accounts created with that password, but set the domain to require them to pick a new one. Much crying and whining ensued.

On account of that at my current job when we need to hand out a password to change (our system is cross Solaris/Linux/Windows/Mac and there isn't a good method to force a reset on login for all systems) we set it to something like "this is a long password that needs to be changed soon," because nobody wants to type that in every time they log in.

PC is dead (-1)

Anonymous Coward | about 3 years ago | (#37235062)

I think we're approaching the point now where PCs are too clumsy and vulnerable to be useful to the consumer, they're doomed to enterprise only environments. Of course, once that happens the OS value will dwindle, updates will get slower, and things will just get worse and worse.

RDP was meant to be a bandaid to fix the fixes MS is pushing, how ironic it just became another attack vector.

Stop adding checkbox marketing features and maybe we'll stand a fighting chance.

Re:PC is dead (1)

Joce640k (829181) | about 3 years ago | (#37235106)

Stop adding checkbox marketing features and maybe we'll stand a fighting chance.

...against users who choose "123456" for their admin password?

Maybe you didn't RTFA before posting.

Re:PC is dead (1)

rubycodez (864176) | about 3 years ago | (#37235232)

exactly the opposite, admins with a PC desktop mentality too clumsy and vulnerable to be useful to the enterprise. The root cause of this infection would make any OS vulnerable, from mainframe z to openbsd server

Mod parent up. (1)

khasim (1285) | about 3 years ago | (#37235336)

The root cause of this infection would make any OS vulnerable, from mainframe z to openbsd server

Exactly. And I see it every day.

Just because you THINK you can "admin" a workstation (or a few workstations for your immediate family) does NOT mean that you know how to correctly administer a server.

That this "virus" has any traction is just more evidence of that.

Require a VPN connection (3, Informative)

Pop69 (700500) | about 3 years ago | (#37235134)

If IT and users are connecting to a bare open RDP port then someone fucked up along the way.

Do it right, require a VPN connection before you allow an RDP connection.

Re:Require a VPN connection (2)

jhoegl (638955) | about 3 years ago | (#37235154)

Maybe, but I wouldnt want an end users virused system access to my networks or servers.

RDP offers better limitations to it.
True, you could close off every port but 3389 to the VPN, you could limit access to only one server, but then the requests start coming in...
Besides, wouldnt an SSL RDP session be more viable?

SSL VPN? Users' don't understand SSL warnings. (0)

Anonymous Coward | about 3 years ago | (#37235206)

"durp, I'm on the hotel wifi, and I'm getting an invalid certificate warning browser even though I never ever get this when connecting from home. "Why, yes, I'll accept the certificate!"

Re:Require a VPN connection (1)

aztracker1 (702135) | about 3 years ago | (#37236434)

RDP is already encrypted as of 2003 server (via TLS)... though you don't get client-keys... the issue here is weak passwords, the same issue exists for SSH, short of client keys.

Re:Require a VPN connection (0)

Anonymous Coward | about 3 years ago | (#37235164)

Then one of your users leaves a VPN up or is in the middle of using one and then its in your datacenter...

How does using VPN help again?

Re:Require a VPN connection (1)

rubycodez (864176) | about 3 years ago | (#37235256)

what if admin dumb enough to choose 1234546 also gives everyone and their aunt tilly the certificates and keyfile for the vpn by plain email?

WIP operating systems - show me the money. (2)

djfuq (1151563) | about 3 years ago | (#37235136)

If only M$ didn't make it so difficult to change the RDP port...

Oh wait, it used to be difficult, but now its stupid easy: http://support.microsoft.com/kb/306759 [microsoft.com]
Now they even have a program that does it for idiots -- what amazing customer service!
This is why I now respect Microsoft's operating systems - someone finds an exploit and they get vilified, so they have to work extra hard and put a lot of money into meeting a higher standard of criticism to keep a huge base of customers satisfied and using their OS.
They make "QA mistake" releases like Vista, and they turn around and outdo everyone win Win7 and 2008R2..... ....unlike the academic operating systems where often kernels and filesystems and distributions are released with statements given such as "ext4 is now a fully supported file system" http://centos.org/ [centos.org] with severe but not mentioned issues like https://bugzilla.redhat.com/show_bug.cgi?id=696545 [redhat.com] but they are silently given a pass because technically its a WIP.
With hokey pokey dodgy insecure applications like the authentication-less/unencrypted NFS protocol or the openldap that sends passwords clear text over the wire still by default configuration, or I could go on and on... but I know this criticism (like the criticism mentioned above) will be ignored and treated like flame-bait...

   

Re:WIP operating systems - show me the money. (0)

Anonymous Coward | about 3 years ago | (#37235194)

Yes, very difficult. It takes 30 seconds to edit the registry key and 30 seconds to restart the service. And you do it once.

Infecting Windows -- Too Easy (0, Flamebait)

curmudgeon99 (1040054) | about 3 years ago | (#37235156)

You would think that hackers might see there is no honor in hacking windows.
Windows is such a warmed over dog's breakfast that I can't imagine any self-respecting hacker spending the time to hack a Windows PC. Any fool who uses Windows probably has already had their bank accounts drained. You're just kicking an unconscious body laying in the alley. Why bother.

Re:Infecting Windows -- Too Easy (0)

Anonymous Coward | about 3 years ago | (#37235242)

I think you've not kept up with the hacking scene for the last 7-8 years. Todays 'hacking' is done to maximize profit. Exactly how will you do that against anything else when those systems barely exist in comparison?

Re:Infecting Windows -- Too Easy (5, Informative)

magamiako1 (1026318) | about 3 years ago | (#37235294)

This has nothing to do with "hacking windows". This has everything to do with brute forcing passwords.

This same thing can happen with SSH, FTP, and any other service that uses password authentication.

In Linux, you install "fail2ban" to slow down brute force attempts.

In Windows, you use secpol.msc > Account Policies > Account Lockout Policy to accomplish the same task.

In all systems, you use more complex passwords or two-factor authentication to avoid this.

PS: This is only affecting idiots.

Re:Infecting Windows -- Too Easy (1)

mcrbids (148650) | about 3 years ago | (#37235664)

This same thing can happen with SSH, FTP, and any other service that uses password authentication.

There. 'Nuff said. Passwords are terrible for system level security and should not be used. The basic idea of passwords requires that, to use it, you also give everything needed to use it again. Techniques like two-channel authentication, public key encryption, etc. solve this problem.

Re:Infecting Windows -- Too Easy (1)

magamiako1 (1026318) | about 3 years ago | (#37235702)

You can configure smart card authentication for Windows RDP.

Re:Infecting Windows -- Too Easy (0)

Anonymous Coward | about 3 years ago | (#37235346)

Excellent flame bait. Too bad most people don't use Linux so they can see how shitty it really is.

See I can play too.

Re:Infecting Windows -- Too Easy (1)

Osgeld (1900440) | about 3 years ago | (#37235350)

yes its microsoft's fault that some marketing douche playing IT guy thought the last 4 digits of the company's phone number would be a good password for remote access

or did you just read microsoft and miss out on the brute force password part?

Re:Infecting Windows -- Too Easy (1)

Crazy_entertainer (2442572) | about 3 years ago | (#37235668)

Hey Osgeld! Don't you have a funnel chair to setup [funnelchair.com] with that big mouth of yours?

Re:Infecting Windows -- Too Easy (3)

Opportunist (166417) | about 3 years ago | (#37235406)

At least RTFM before posting. The system is helpless against a user that uses "12345" as a root password.

Re:Infecting Windows -- Too Easy (1)

advocate_one (662832) | about 3 years ago | (#37235928)

so I'm safe then with "54321"...

Re:Infecting Windows -- Too Easy (3, Funny)

Billly Gates (198444) | about 3 years ago | (#37235590)

"You would think that hackers might see there is no honor in hacking windows.
"

I don't know

I read a comment here from some guy named anonymous coward that stated Windows is just as secure as Unix and MacOSX and it is only hacked because more people use it. After all IE 6 and IE 7 are staples of good security and coding according to him. More people use it ... thats it!

Whoa, Newsflash! (2)

Opportunist (166417) | about 3 years ago | (#37235394)

Insecure admin passwords allow remote connections and lead to compromised computers. More details after the film.

Morto? (0)

Anonymous Coward | about 3 years ago | (#37235544)

Mortos der soul stealer has come!

I wish i had some ice cream!

Interesting (1)

Bryan Bytehead (9631) | about 3 years ago | (#37235920)

I was wondering who or what was banging on my RDP ports yesterday. My Administrator account has been renamed, and I doubt very much that they would be able to brute my login name, let alone my password, but I turned RDP off just because it was annoying.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>