Morto worm reveals how bad IT is at passwords

Malware responsible for spike in unauthorized RDP traffic affects Windows PCs and servers globally

A password-guessing worm dubbed Morto is responsible for the recent spike in unauthorized RDP port traffic, serving as a reminder of just how bad IT admins are at coming up with strong passwords to protect critical resources.

The worm, which is connected to the spike in RDP traffic observed by SANS and Dshield on Aug. 3, works by attempting to log in to accounts using a series of incredibly weak passwords, such as "12345," "admin," "password," and "test," along with some brute-force dictionary guesses. It also attempts overly common logon names, including "administrator," "admin," "backup," and "sql."

According to Microsoft (my full-time employer), admins in 87 countries have been affected thus far, meaning Morto is a global problem, though it's not as prolific as other malware. Whereas 74 percent of the affected machines run Windows XP, suggesting users have weak passwords, 10 percent of the impacted systems are Windows server products. The IT staff members responsible for managing those systems should definitely know better.

As an IT security veteran, I've often spoken to the value of changing administrative passwords to something other than the weak defaults, not to mention choosing alternatives to default logon names. It's a well-established best practice; Microsoft and other vendors even offer group policies settings to assist in the task.

Nevertheless, I find default logon names and poor passwords for elevated accounts on nearly every security audit I perform, often on test computers and other "temporary" machines that have been on production networks for years. Usually, the administrative staff helping with the audit knows about these instances but has failed to eradicate them in a timely manner due to political or operational issues.

Don't let Morto call you out. Use strong passwords (12 characters and longer for elevated accounts) and change elevated account names from the defaults. You'll reduce the risk from Morto and plenty of other malicious hacking techniques.

This story, "Morto worm reveals how bad IT is at passwords," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.


Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform