According to Bitton, the code does not exploit any specific vulnerability, but simply relies on people installing the worm and then uses a brute force password attack to gain access to systems.
This is, he said, the first time he and his team have seen a worm like this, and the malware itself is sophisticated – even if the method of proliferation is not.
“Once again, we have an example highlighting the importance of good passwords. Blocking the spread of this worm relies on using a sophisticated password that isn't on the worm's dictionary list”, he says in his latest security posting, adding that the 100-plus passwords in the malware's dictionary include 111111, david, admin2, 123456 and rockyou.
Nearly two years after being published, he notes, the RockYou password list continues to be used by hackers in brute force password dictionaries.
“One thing we determined from looking at the worm was origin. Looking at DNS information, the worm seems to have originated from China, Hong Kong and Australia”, he said.
After dumping the code from Morto using the MoonSols win32dd.exe utility, Bitton said that RDP port 3389 with PID 1064 are one of the attack vectors used by the worm.
In addition, what is also notable about the malware, he said, is that during the infection process Morto creates four new files on the infected system and then deletes itself.
This may, Infosecurity notes, be one of the reasons why the Morto worm – which appeared on the malware scene earlier this summer – has infected so many systems. Once executed, it attempts to propagate itself to additional computers via the RDP and spreads by forcing infected systems to scan for servers allowing an RDP login.
Once Morto finds an RDP-accessible system, it attempts to log in to a domain or local system account named Administrator using a number of common passwords.