Tomer Bitton, Independent Reverse Engineer at Imperva's Application Defense Center (ADC) has updated the Imperva Blog by dissecting the Morto worm.
MORTO Post Mortem: Dissecting a Worm: http://blog.imperva.com/...
"Morto has been in the headlines, for good reason. This worm is unique as it exploits Microsoft's remote desktop protocol (RDP). It doesn't exploit any specific vulnerability, it simply relies on people installing the worm and then it uses a brute force password attack to gain access to systems. It is the first time we've seen something like this. The malware itself is sophisticated even if the method of proliferation isn't.
Once again, we have an example highlighting the importance of good passwords. Blocking the spread of this worm relies on using a sophisticated password that isn't on the worm's dictionary list. Tomer's malware dissection shows the 103 passwords that made Morto's dictionary, including complicated, sneaky ones like '111111', 'david', 'admin2', '123456' and -shockingly -'rockyou'. Nearly two years after being published, the RockYou password list continues to be used by hackers in brute force password dictionaries.
One thing we determined from looking at the worm was origin. Looking at DNS information, the worm seems to have originated from China, Hong Kong and Australia."
Follow the Imperva blog for the full story complete with graphics, including a never-seen-before spreading vector, Remote Desktop Protocol (RDP).
MORTO Post Mortem: Dissecting a Worm: http://blog.imperva.com/...
"Morto has been in the headlines, for good reason. This worm is unique as it exploits Microsoft's remote desktop protocol (RDP). It doesn't exploit any specific vulnerability, it simply relies on people installing the worm and then it uses a brute force password attack to gain access to systems. It is the first time we've seen something like this. The malware itself is sophisticated even if the method of proliferation isn't.
Once again, we have an example highlighting the importance of good passwords. Blocking the spread of this worm relies on using a sophisticated password that isn't on the worm's dictionary list. Tomer's malware dissection shows the 103 passwords that made Morto's dictionary, including complicated, sneaky ones like '111111', 'david', 'admin2', '123456' and -shockingly -'rockyou'. Nearly two years after being published, the RockYou password list continues to be used by hackers in brute force password dictionaries.
One thing we determined from looking at the worm was origin. Looking at DNS information, the worm seems to have originated from China, Hong Kong and Australia."
Follow the Imperva blog for the full story complete with graphics, including a never-seen-before spreading vector, Remote Desktop Protocol (RDP).
