Tech Time Warp: Morto worm relishes on common usernames and weak passwords
Before you read any more of this post, ask yourself: Are you using “administrator” as a username for any service?
If the answer is yes, stop what you’re doing and change that immediately. Then return here to find out why.
Now that that’s out of the way, let’s step back in time to summer 2011, when the Morto worm drew attention for being the first worm to spread via Microsoft’s Remote Desk Protocol (RDP). Morto scanned an infected computer’s local network to look for RDP-enabled servers and workstations. Morto would then try a series of common usernames (“administrator,” “admin,” etc.) along with weak passwords (“password,” “12345,” etc.), using a brute force attack technique, until it hit on the right combination to connect to the remote machine and install itself. Once installed, Morto would repeat the process, generating heavy traffic on port 3389/TCP in the search for additional machines to infect. Morto-infected machines had the potential to become a botnet that could be used to launch distributed denial-of-service (DDoS) attacks.
Microsoft estimated that systems in 87 countries were affected by Morto, and while most infected machines were running Windows XP, at least 10% were Windows server products—leading some commentators to say “tsk, tsk” to the IT professionals running them. Morto didn’t rely on a system vulnerability—instead, it founds its prey one “administrator” and “password” at a time.
Did you enjoy this installation of SmarterMSP’s Tech Time Warp? Check out others here.
Photo: wk1003mike / Shutterstock