The Morto worm threat: Use it to improve your security

Roger A Grimes looks at how to defend against the worm

The recent discovery of Morto, the RDP password-guessing worm, provides a great opportunity to revisit the importance of fine-tuning your organisation's defensive strategies. Morto, after all, doesn't simply exploit an unpatched software vulnerability; it employs multivector attacks, tricking users into downloading it, then using authentication guessing to break into accounts. IT admins need to be prepared to identify and defend against these sorts of multipronged threats. For example, readers who've focused on Morto's interesting RDP usage and password guessing might be missing the bigger lessons. The worm is getting around because users are being tricked (yet again) into running something they shouldn't. That certainly exemplifies the need to improve user education at your own company - and opens a host of other questions about your security. My challenge to all admins is to look beyond the acute problem (in this case, computers exploited by Morto) and look at the strategic reasons why computers under your control became infected. When you find causative agents, are you responding most effectively? If you don't address the specific threat with a specific, best defense, you can't expect improvement. For example, what if your network became infected, not by one of your own users but via a third party's connected network? Further, are your firewall rules set correctly, or do you allow RDP connections from any computer to any computer, even if it is unneeded? Are admin-level accounts left with their default logon names? Are there poorly protected passwords? Are users with admin-equivalent rights opening internet links? Morto writes to system-protected areas and would not succeed if the infected user was not running an elevated account at the same time as they opened the link. All IT departments should be consciously aware of how their environments are being exploited. They shouldn't care about malware family names, country of origination, or the users involved. But they should know the top 10 threats and your plan to address them. Everyone should know how the environment is most often exploited and work cohesively as a team to fight the biggest risks first. Consider the Conficker worm: It had multiple means of attacking computers. Early on, most observers thought Conficker's biggest threat was against unpatched systems. But in the field, I saw many of my clients affected by the worm, though their systems were appropriately patched. I determined this probably meant Conficker was successfully propagating via infected USB keys, a conclusion that Microsoft (my full-time employer) reached as well. In response, Microsoft issued a security patch that disabled the autorun functionality, which led to millions of fewer instances of malware infections from Conficker and other autorunning malware. Some antivirus software vendors have questioned just how successful the fix was, but regardless of the specific numbers (estimates of the decrease range from 15 to 75 percent), one strategic decision led to a significant dip in malware risk. Identifying and responding to multivector threats means being aware of them early on. Is your IT security infrastructure strategically defined to measure root-cause analysis and create the necessary data to respond with better, fine-tuned responses? Or does it rely upon a few humans noticing a trend and hoping their personal speculations will filter up to decision makers who might notice the significance and respond accordingly? Instead of hoping, design into your system a proactive early-warning telemetry. When the next major malware or hacking trend occurs, such as a boot virus, macro virus, email scripting worm, fake AV program, autorun malware, or more, be better prepared to notice and, better yet, respond more quickly. We don't do a good job at that in IT security. Imagine if a warring military unit noticed where it was taking on the most casualties and didn't respond to close the hole. That unit would lose the battle. That's exactly what we're doing over and over -- it's time to fight a better war. Grimes is contributing editor at the InfoWorld test centre and a security architect for Microsoft’s InfoSec ACE Team

Join the newsletter!

Error: Please check your email address.

Tags morto wormSecurity ID

Show Comments