I’m really at a loss as to why this is an issue. I know, I know, fire bad and all that sort of rot. But, realistically this worm should not be successful. If we’re being really honest with ourselves this is a lesson in why some people should not be permitted to touch a keyboard.
From Help Net Security:
“Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled,” explains F-Secure. “This creates a lot of traffic for port 3389/TCP, which is the RDP port.”
When such a machine is found, the worm proceeds to try to brute-force its way to an Administrator account. It tries around thirty most often used passwords (admin, password, 111111, 12345, and similar).
A comment from a Microsoft forum on this subject was amusing “We noticed a bunch of outgoing RDP hits on our firewall. It was determined to be infected and reprovisioned as NEW, fully patched 2003 R2.”
Fully patched… O_o
I’ve heard all kinds of nonsense like using a different port and other such “solutions”. The moral of the story… DON’T BE AN ASSCLOWN!
Use a password that my three year old couldn’t guess on the first try. How about that?
Even the bird thinks this is dumb.
(Image used under CC from Peregrine’s Bird Photography)
