Tuesday, August 30, 2011

The W32/Morto Worm

     New in the news world today is something that has happened before in the past.  That's right, it seems that Windows Systems are now vulnerable to a new worm again.  These exploits occurs due to weak security measures taken by, who guessed it?..  users of remote desktop software who set up their passwords really lazily!  Weak passwords that can easily be obtained with brute force dictionary cracks are being taken over by storm.  That's right, whoever of you are still using your first name or the last 4 digits of your social are running a high risk.  Both servers and workstations are targets.  Neither are safe.

This will do not good.

  Once the virus takes over a system it then connects to another server and checks if it needs to make any updates.  So if patches are made and you restart your machine while your AVG is starting up it will be too late because the boot sector has already triggered to update itself.  You mean I've got to reformat again?  Good thing I learned from last time and backed up all of my data, erhmmmmm.  Tools like Nmap, ettercap and Metasploit have been used to manually scan and find open holes in remote systems for years, and now this virus has been scripted to do all of this automatically and then report back to it's controllers with a wide array of system statistics to be stored in a database.  Imagine that, the attacker only has to then wait as the list of systems taken over increases.  They then have a spreadsheet full of addresses with the key codes and the size of storage available with instant access to bots that will do anything desired at those locations.  Sounds like the amount of control that Batman would have had to of used all of those microphones all over Gotham to track down the Joker.

  Anyways, Morto, the "death" worm, can obtain these weak administrator passwords automatically, even on systems with all of the latest patches.  Now once a system has been accessed the virus then deactivates the local security measures like anti-virus programs and firewalls in order to protect itself, then it checks for local network connections systems with the RDP enabled.  It then starts creating new files..

\windows\Offline Web Pages\cache.txt
\windows\Offline Web Pages\1.40_Test Ddos
\windows\Offline Web Pages\<DATE>

  ..and many more.  The systems can then be commanded remotely to launch strikes to targeted sites via Distributed Denial of Service invasions, flooding a network's service traffic with endless packets requesting information.  This causes a slowdown as no genuine user inquiries to a service are able to process amongst all of the inordinate junk queries.  It's kind of hard to defend against DDoS attacks because once an IP address is targeted it's kind of hard to defend against an attack.  It'd be like trying to keep your mailbox from being repeatedly destroyed by teenagers with baseball bats by moving your mailing address.  They won't know where to hit it again until they figure out where you moved it to, or figure out your P.O. Box number.  That analogy is useless in trying to find a way to stop this kind of action because snail mail relies much less on seemingly instantaneous transmissions as the internet.  Hopefully some day some creative individual, like whoever thought up this simplistic idea of spamming a website to shut it down, will think up a way to circumvent these sort of battles.  Something like proxies that only reveal the correct direction to go when a captcha has been correctly entered, but then the attackers would most likely just go after the proxies.


No comments:

Post a Comment