It’s been a while since a worm has made the rounds of the Internet (I think Stuxnet may have been the last one to make any waves).
Morto is the new kid on the block.
Although my title is meant to be sarcastic, there is actually good news about this worm. It spreads by attempting to log into an open RDP (Remote Desktop Protocol) port, passing the Administrator user account and using a dictionary-based password crack.
The good news is that OS security has improved so much over the past few years that malicious code now has to rely on bad practices by administrators, rather than using exploits in running processes.
Of course the bad news is that any systems were vulnerable to this in the first place. Any one of three changes in security practice stop this worm from getting into your systems. Two of them are incredibly simple.
1. Change the ‘Administrator’ name.
In a Windows environment, the Administrator account is there by default and has full permissions to the machine. The account name is not set in stone (unlike UNIX/Linux. Root is always root). Everyone should change their Administrator account login to something else. It’s very simple to do, and immediately removes the threat of any scripted attack that tries to use Administrator as a login. With just a tiny bit of extra work, you can also set up a new account named Administrator that actually has no privileges. If an attacker is able to enumerate the users on your systems it will give them a little bit of misinformation.
2. Enable password complexity rules.
The worm has a dictionary of common passwords that it uses to attempt to log in. They are all terrible passwords.
STOP DOING THAT. Systems should REQUIRE mixed-case and digits at a bare minimum.
On Windows this is one click on a checkbox in Group Policy.
3. Do not open RDP to the internet
This one is slightly more complicated, but your average administrator should be able to handle it easily.
Yes, it’s very convenient to be able to log into your stuff remotely. I do it all the time.
The difference is that I have to tunnel my RDP session through an SSH connection. You should block incoming RDP requests (port 3389 by default) at your firewall.
You do have a firewall, right? I mean, I assume you do, but then again I assumed you wouldn’t have Administrator:password as your master login
Update: Morto tries a number of common account names, not just Administrator. Not sure if this is new information or a variant of the worm.