RDP was developed by Microsoft to allow remote management of computers through a graphical interface. The technology is present, with limitations in some cases, in all supported versions of Windows.
According to F-Secure researchers, once a computer is infected, the new Morto worm starts looking for machines that accept connections on TCP port 3389, default for RDP.
When potential targets are identified, the worm attempts to log on as an administrator with a list of encrypted passwords. This can lead to an uptick in RPD traffic on networks.
If authentication succeeds, Morto leaves its components on the destination computer, including the files %windows%\temp\ntshrui.dll and \windows\offline web pages\cache.txt.
The worm reports to a server by querying various predefined domain names and IP addresses from which other command and control files can be downloaded.
Morto's core functionality is to launch distributed denial-of-service (distributed DDoS) attacks. In addition, the application destroys processes that contain certain strings that match many popular security applications.
According to scans conducted by VirusTotal, 19 of the 44 antivirus engines currently using the service can detect the threat. It is recommended that users disable the RDP of their computers that do not need it or set a strong password for the Administrator account if they decide to keep it activated.
Some people may initially suspect that the worm may exploit an RDP vulnerability that was patched earlier this month (MS11-065) but this is not the case, as that flaw can only result in denial of service and not arbitrary code execution.
However, users should apply all available security patches for their operating system and should run an up-to-date antivirus program at all times.
Author: Lucian Constantin
Source: Softpedia
