back to article Worm spreads via RDP

It’s retro day in the world of Internet security, with an Internet worm dubbed “Morto” spreading via the Windows Remote Desktop Protocol (RDP). F-Secure is reporting that the worm is behind a spike in traffic on Port 3389/TCP. Once it’s entered a network, the worm starts scanning for machines that have RDP enabled. Vulnerable …


This topic is closed for new posts.
  1. J 3


    Means "dead" in Portuguese and Italian, hopefully it has nothing to do with the payload...

  2. martin 62

    disable RDP

    The way to stop your pc being infected is to disable RDP which will stop the attack. The problem is that RDP is enabled by default in windows ( why?) and many non technological people realise that is is even turned on ( or that it even exists)

    1. The Original Steve


      Um, no it's not enabled by default. You need to manually enable it or it's set via a GPO. In addition firewalls will obviously stop it.

      However if you read the article on F-Secure you'll realise that it tries to logon as "Administrator" and guesses from a password list of 30. (admin, letmein, 12345, password etc.). For a start they (of the vast majority) won't work on Windows 2008 as it enforces the default admin to have a "complex" password.

      So you'll need a Windows 2000/2003 Server or Windows 2000/XP machine with no hardware firewall (or have port 3389 open) where the admin has a shit password and has manually enabled Remote Desktop.

      Fuck em - if this catches these 'admins' out then they deserve it

      1. jpj

        Bit harsh!

        At least if the admins are home users.

        Anyway, I'd add this to the list of things to do to prevent attacks like these:

        - Rename the Administrator account.

    2. Anomalous Cowturd

      Haven't we heard this before?

      Access enabling services, enabled by default. Then subverted...

      Some people (yes, Microsoft, I'm looking at you!) never learn... Even after numerous "warnings"...

      Obvious icon ^_^

    3. Neoc

      Re: Disable RDP

      Why? I think you answered your own question: The people who would most likely need Remote help are most probably the ones least likely to be able to follow instructions on how to turn on RDP.

      Sad but true. (7yrs on help-desk makes you believe the worst of the end user)

    4. Vigilante


      Remote Desktop is NEVER enabled by default, and never has been.

      On client versions of windows you have to go to system properties > remote > enable remote access (and then it forces you to make sure your password is secure, meeting the server 2008 password guidelines).

      On server versions, it must be enabled via server manager. Note that some automated server 2008 R2 installs are configured to have it enabled by default, but this requires whoever runs the install to roll their own system image - by no means "standard".

      One thing this article fails to mention is whether this is actually a bug/vulnerability in RDP (which I seriously doubt) or whether it is a case of one machine getting exploited (by having weak passwords) and then that machine exploiting others by bruteforcing RDP. Both cases are able to be easily mitigated by having secure passwords, throttling - or better yet, change the RDP port.

    5. Donn Bly

      @martin 62

      Not to rain a good rant, but RDP is NOT enabled by default.

      While turning off unnecessary services is always a good idea to reduce your exposure to attack, and I certainly encourage anybody who doesn't need it to turn it off, another way to prevent your machines from being infected by this worm is to be current in your patches. This particular hole was patched in MS11-065, which was released weeks ago.

    6. Anonymous Coward
      Anonymous Coward

      Don't think so

      RDP is disabled by default

      1. Not That Andrew

        Do some research, you morons.

        I dunno about XP SP3, but XP SP2 and earlier have RPC enabled by default.

        1. xenny

          That beam in your eye....

          RPC is indeed enabled by default, but the vector is RDP, which is disabled by default. :-P

        2. Jason Terando

          RPC != RDP

          RPC = Remote Procedure Call service

          RDP = Remote Desktop Protocol service

          Research done for you, Genius

        3. Anonymous Coward

          re: Do some research

          "I dunno about XP SP3."

          Ironic that. Not to mention the rpc<>rdp fail.

    7. Connor

      Turn off RDP?

      Why? What are we men, or mice? I use RDP all the time to access the computers on my home network, some of which haven't got monitors anymore. I am not going to turn that off because of some worm.

      Besides it doesn't sound like RDP itself is at fault, but rather weak passwords are the way that it gains access. So anyone with half a brain should be safe anyway right?

      Besides, I use Linux.

      1. Mad Hacker

        You use Linux but you use RDP?

        If you use Linux as you say it would make more sense for you to use VNC. If you do use RDP as you also say, I would argue you use Windows.

        1. Anonymous Coward
          Anonymous Coward

          @Mad Hacker

          There is actually an RDP server package for linux, I think it's called x11rdp or xrdp (by server package, I mean server side package, so client in x11 terms.) It's pretty useful if you have lots of windows and a couple of linux boxes as it saves you installing an X11 server on your workstation.

        2. Connor

          @Mad Hacker

          Sorry I didn't make that clear, I use RDP from my Linux laptop to control the Windows PCs on the network. I have tried VNC before, but that means installing it on every Windows PC, whereas RDP is built in by default on the Windows Media Center 2005 and Windows 7 PCs that I have, and so is effortless and works really well. FreeRDP is also installed by default on the Linux distribution I use.

          I have had to use VNC on Windows XP Home computers in the past, and it was annoying to setup and wasn't as quick, nor did it looks as good as RDP.

  3. Sp1tf1r3

    No vulnerability...

    A strong password is all that is needed to prevent the attack, RDP is NOT on by default either. The passwords the bot tries are very very simple....

  4. Steve Evans

    Is this the Daily Mail? Don't believe the hype.

    Tut tut El reg, after reading your story I thought there was a vunerbility in RDP... Lucky I went and checked with the source.

    All this worm does is scan for RDP servers on the default port, and then try a small set of easy passwords on the admin account.

  5. Paul 87


    You know, this sounds like a BOFH tool for catching out the idiots who bypass the password policies

  6. crediblywitless


    ...that a worm can spread via an admin login using such a pathetic list of passwords. It is tempting to conclude that anyone with unprotected RDP, enabled local Administrator account, and a password for that account that's on that list, deserves what they get. "Why bother?" asks the article. To make the above point, perhaps?

  7. Morteus

    I dunno about that...

    I've done two fresh install of XP home ed. in the past month and BOTH of them had RDP enabled by default.

    1. Fuzz

      XP Home has no RDP

      XP Home has a terminal services service which is used when you share your desktop with a "helper" who is fixing your computer. However this isn't vulnerable to the attack here.

      For the attack here to work you have to have enabled remote connections in system properties and you have to be using one of the stupid passwords in the list for your administrator account. You also have to either already have the work on your network or you have to have the RDP port open to the Internet.

    2. Anonymous Coward
      Anonymous Coward


      I was under the impression that XP home didn't have any remote desktop services.

    3. Anonymous Coward

      You're an embarassment

      XP Home doesn't even have an RDP server let alone enable it by default.

      1. Bod

        Remote Assistance

        XP Home and likewise the Home editions of Win 7 (and I assume Vista) have Remote Assistance. It's RDP but without an open server. You have to specifically go in and make a request for assistance to someone who then gets access (done via Messenger I believe, but underlying protocol is RDP). Somewhat more secure as it's based on a dedicated request and involves a key exchange underneath as I understand it. Can't even attack a temporarily enabled session and guess passwords.

    4. Brian

      RDP not supported on XP home.

      Remote Desktop isn't supported by XP Home edition.

  8. Hollow

    Until you've worked somewhere..........

    .......that uses "companyname123*" as it's default password for all 300 users and will not let them change it, you cannot just write things like this off as "A secure password is all that's needed" lol, because regardless of the fact that may be true, there are thousands upon thousands of desktop machines out there with utter tripe passwords, both corporate and personal, with crap passwords, some of which are enforced by the sysadmins themselves!

    1. Elmer Phud


      Even 'pa55w0rd' is too difficult for some.

      I got told off for using 'b0l10ck5' - and that was after I had to explain it to my manager, ffs.

      (he took a while over 'phuq0rft' as well).

      1. Jean-Luc


        Hmmm, are you the same Elmer Phud that, in the RSA thread, was clamoring end users should be summarily executed (after being quartered, tarred & feathered) for opening a phishing email?

        a) Why are you telling us what your passwords look like?

        b) Choosing passwords from a set of profanity lookalikes? You think that is totally original? Would you be willing to bet that no sample of your brilliant wit would be found in a dictionary of 100K (not 30) passwords?

        Paris, cuz, well...

    2. Anonymous Coward
      Anonymous Coward


      That's hardly the fault of the software though, is it?

  9. Anonymous Coward
    Anonymous Coward


    Can anyone shed some light into how logging works for RDP on Windows 7?

    On my home computer, I have enabled RDP, but only allowing connections from computers running with Network Level Authentication.

    In Event View I can find entries under "Applications and Service logs - Microsoft - Windows - TerminalServices RemoteConnectionManager - Operational.

    But the entries are only "Listener RDP-Tcp received a connection".

    I would like to know: From where did the connection come from, which username were supplied, etc


    1. Fuzz

      should be there

      Have a look for event ID 1149 also check the security log for event 4624

      If you have network level authentication enabled then I don't think you are vulnerable to this worm. Also I doubt that a standard install of Vista or 7 is vulnerable because you can't log in as Administrator on those computers.

  10. Anonymous Coward


    "Windows servers and workstations are vulnerable." everyone who has stepped out of the dark ages will be fine!

    1. Tchou

      You mean...

      ...the 10% of the market who use another OS than Windows, from wich 0,1% are tech savyy, from wich 0.1% suckers thinks of themselves as "so brilliant everyone else is still in the Dark Ages"?

      1. Anonymous Coward
        Anonymous Coward


        There's such a thing a non tech savvy Linux user?

  11. Roger 11

    Unabled by default?

    is it possible that it's enable by default on XP but not on Vista and Win7? It seems to me that when I do a XP install, I always have to disabled it.

  12. Pondule


    MS say Remote Desktop isn't installable on XP Home and looking on the web the only way to install it on pre-SP3 versions is to hack the registry to fool Windows into believing it's XP Pro which is of course a breach of the EULA. Are you sure it's not just the RDP client that's installed?

  13. b166er


    Those knocking Windows for this are a bunch of Hamptons (the planks that drive 4x4's and think they know everything). RDP is off by default (Morteus, perhaps you should slipstream a service pack or three into your source).

    First things first, the Administrator account should be disabled by default (after first creating a new superuser). Secondly, password complexity should be a given. Lastly, RDP should be shut to the outside world, but open to localsubnet and using NLA where appropriate.

    Anyone getting pwned by this deserves it and it'll give us more work when they're outed to be the incompetent baffoons that they are.

    1. John 179


      Quite a few talking about how sloppy admins 'deserve' to get hacked. That's like saying that an old lady who forgot to close her purse 'deserves' to get robbed.

      Come on guys, let us not forget who is the criminal in all of this.

      Instead of cursing the dark, light a candle.

      1. Anonymous Coward
        Thumb Up

        Bravo for the sentiment.

        Now back to the real world.. here in the UK the Police sped their time putting signs up in car parks saying stupid things like "don't advertise to criminals" and "check you locked your doors.."

        Personally I would prefer it if they put up signs saying "Don't Steal".

        So now in this country it's your own fault if you are a victim. And that acting on opportunities as they arise is just good business. whether that is taking a phone from the end of a table.. or registering - Just business, and they wonder why the kids went looting!!

        those shops shouldn't have left valuables on display!

  14. Morteus

    My Bad...

    ... I was thinking of The Remote Assistance - 'nuff said!

  15. Anonymous Coward
    IT Angle

    Remote Regitsrty

    If you have used a sloppy password and the remote registry service is running, you could simple turn RDP back on.

  16. b166er

    No John

    Your analogy doesn't stack up.

    It's the admins' fault and they deserve to get pwned.

    The company they're responsible for OTOH, doesn't deserve it (apart from the fact they possibly scrimped on their IT budget and got lamers).

    But the admins' deserve red hot pokers mate. In my mind they're 'criminally' incompetent and certainly grossly negligent.

    Your analogy for this example would be, the old lady who hired a bodyguard who was sleeping while she was robbed.

  17. Anonymous Coward

    "hack" attempts going on for years

    Seen port scans and logon attempts for years. I can't remember how many times I have seen these logon attempts. Good passwords prevent this. Also moving internet accessible servers (stuff like SBS) away from the default port stops this kind if "attack". Anyone who gets hacked by this deserves all they get :)

This topic is closed for new posts.

Other stories you might like