Discussion on:

Morto: Not your average creepy-crawly worm

Thanks for the heads up. I have a few user accessing rdc from over the internet. It's through a VPN, but then you never know what one of the employees is going to download...

As far as Morto goes, it only uses some very simple passwords at this time to attack RDP, stuff like 12345, admin, password. Simply changing password to Password would block this attack. Of course using even more complex passwords containing UPPERCASE, lowercase, numbers and symbols will make it more secure.

I wasn't worried about that. My thrust was to showcase the new-found ability to communicate using DNS.

RDP on a PC effectively render Morto useless, instead of changing ports and passwords?

Thanks...

Philip

At least for this iteration of Morto. I can't speak for future versions. With that in mind, I am trying to find out if RDP can be enabled remotely.

My concern is more towards the way Morto communicates. I suspect other malware developers will incorporate it.

My guess is that one would need only add the extra step to the initial dropper for initial penetrations into machines with RDP disabled. For Morto propogating under it's own power, the question becomes if there are any ports open infront of remote-execution vulns that it could leverage to "open the door".

Be interested to see what you dig up though and how far off my guess is.

You are right, Morto can be successful without self-propagation

With that in mind, I am trying to find out if RDP can be enabled remotely."

I have looked at this myself, a client wanted to be able to do this. I told him I thought it was a bad idea, but he still wanted this capability.

Fortunately, you might say, I was unable to come up with a way to do it without opening things up to the point of having no firewall, and without some other remote access tool already enabled. (ergo what's the point)

We settled on a VPN on non standard ports, and the RDP server is running 24/7, but behind two solid firewalls, one isolating the VPN and allowing that channel to only access the one machine. Additionally, though that machine is on a private LAN with a large number of peers, it is only aware of a file server, and can't access any of it's peers. If RDP gets compromised on this machine it will be the only host infected.

It's separate, isolated firewall (to the internet, with it's own global IP) sends me traffic reports. The usage is pretty consistent, so I think an active bot would be obvious.

What I've never been able to do (but have tried in vain) is get something like nagios working, not only reporting but having the ability to reactively shut things down. It's difficulty lies in it's complexity. An individual config is "simple" (I suppose you could say) but to be useful there's a lot to juggle with.

Now all you have to worry about are individual instances of Morto doing their thing.

I always thought it odd that they had not been used in such a way previously. That, and redirecting queries for the MS NCSI txt.

I love normal txt records, though, when implemented. they can be great for troubleshooting.

One soviet spy in England used yoghurt.
He noticed that yoghurt spilled on the street was universally repugnant to all people.
So, he used that as a binary signal. He'd splash a cup of yoghurt on the ground at the previously decided point, never pausing or looking back.
The person to receive the message would walk by and take note of the color of the yoghurt, white = 0, red = 1.
Urban people have trained themselves *not* to pay attention to vile substances on the ground (beyond what's necessary to avoid stepping in them). Works against counterintelligence too.

Kind of like them using a pencil and us using a million dollar pen.

How do you use the TXT files. I'd like to learn about that.

The good folks over at Metasploit already have a module and relevant wordlist for those who want to test for Morto vulnerability.

I forgot to mention that in the piece.

I hope Microsoft does something to help with this. Small Business Server workstations need RDP enabled on port 3389 so that users and support can access their computers remotely. It's been a great feature of SBS so far.
Great, but scary article - thanks!

The worm is exploiting weak passwords rather than a vulnerable bug in the program code. If microsoft changes the default passwords then the worm's wordlist simply gets updated with the new passwords. Maybe it develops it's own brute force or hybrid attack.

Hm.. my thought here was MS including a Fail2ban style program but they really alread have that if you've set a lockout login attempt limit. Does the RDP connection not trigger that same lockout like the uname/passwd login prompt? Me thinks I need to go grab my Metasploit and go get locked out of a test system..

Let us know what you find out.

No tiny if you may. My service here doesn't like Tiny'd URLs.

My next question is a hash available at the level this will be using to penetrate. I've cleaned enough systems lately that I'm starting to drive my F&F that I help to use systems hardened for use only to go to financial sites.

Of course if they are windows RDP gets turned off before it hits a network connection.

I would assume that DNS TXT records could all be blocked -- both inbound and outbound -- by any IPS worth its salt (and probably by most firewalls with half-decent packet inspection too). I don't believe anything would break in standard environments by doing so, though I'm no DNS guru.

Incidentally it's interesting to see how Wikipedia describes the TXT record. I wonder if this is what gave the bad guys their "eureka" moment?

"Originally for arbitrary human-readable text in a DNS record. Since the early 1990s, however, this record more often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework (although this provisional use of TXT records is deprecated in favor of SPF records), DomainKeys, DNS-SD, etc."

I had to fight this one before the signatures for it was out. Came to the client and found computers logging in as 'a'. Who's 'a' I asked the client. You can only imagine they had no idea. A good learning experience to this is to audit your accounts. Remove all of them that aren't associated with a service or an individual.

Furthermore, I'd appreciate the dns namespace associated with this worm, I'd like to check my wireshark logs from the time I was under attack shortly afterwards to check for the payload.

What did you mean by "Most pros - and I agree - think using RDP is lame.". Just curious if you meant "the fact that this worm uses RDP is lame" or if you actually thought RDP was lame and most IT Pro's agree. I like using it myself, seeing as it's by far the easiest way to connect to a Windows Server for administration, and it's based on a Citrix core from what I know of. Just wanted to check, since I'd be surprised if many IT pro's think using RDP was lame as it's the only best option for many. I don't use it for connecting to client desktops, only servers.

If it's the first one, then yes! I absolutely think the fact that it connects via RDP is lame.

The experts I interviewed felt RDP was a bad choice for replication. RDP is not enabled on a vast majority of computers -- particularly consumer and home systems.

Ah, now I get it. I didn't *think* you were saying IT Pro's thought RDP was lame, but that definitely makes sense about it being a bad choice for replication of malware. Yes, I agree too! Great article as always, thanks for the information.

worked for has RDP enabled on most Windows servers.
We use RDP constantly for internal servers. i wouldnt put it on an outward facing server. (we only have unix and Linux on outward facing servers anyway)

If you have someone that keeps using easy to break passwords, even after explaining why you would need hard passwords, would it be safe to say the just changing the port number would be enough?

(I have gotten to the point that I leave him alone. When something happens I just look at him and he swares that either 1) "I HAD a complex password" or 2) "The password had nothing to do with it." I just think "well HE is the reason I might not get fired." lol)

Does that user have admin rights? if not, I do not believe it is an issue. Also changing the port will nullify this version of Morto. Can't say about the next-generation.

Would it be possible to treat him as outside the network... put up defenses between him and the rest of the network, just like with outward facing servers?

In all other kinds of defense it'd be useful to know where the attack will come, why not with this? Maybe the metaphor is wrong?

An island stands alone.

You know thats not a bad idea. So in essence I would be moving his office outside the building, right? He wants to work outside the guideline, we can put him outside the network.

redshirt

"rouge" employee, apparently.

You can enforce "complex" passwords through Group Policy.

Ha, I had someone tell me the other day I needed to dump LogMeIn and go back to RDP because LMI was unsecure and banned in 40 states.......and they were serious too.

I love reading information that's contradictory of those claims!

With that out of the way, this sounds like a nasty little worm, the fact that it is using DNS to exploit the heart of a network, a DNS server and it's replies. Am I understanding that correctly?

What did they say about LogMeIn? I use it all the time and have not heard anything negative about it.

As for the DNS server, the bad guys have theirs setup to transmit instructions to the malware payload. Morto used RDP to mess with the network it's attacking.

Had a laptop turn up with a Morto infection. Symantec's SEP v11 didn't detect it. Had to reformat the laptop in order to be sure it was clean. Wondering if this thing has continued to morph.