Yesterday F-Secure posted some information about “Morto,” a new Internet worm. It spreads via Windows Remote Desktop Protocol (RDP) and relies on weak passwords for the local Administrator account. Once access is gained, Morto creates shares and copies itself for further propagation, and the compromised machine can be controlled remotely.
According to F-Secure, this worm is spreading. Why?
Here’s the list of passwords that F-Secure has on their post:
The reason I’m asking “why” in this case is because, if you’ve got decent policy in place, you’re going to have at least one relevant control covered: Strong authentication. For strong authentication, you’re going to have your password complexity enabled, which on most Windows machines, means that you’ve got length requirements (PCI requires a length of seven) and complexity requirements (among others).
PCI provides the shortest recommended length I’ve seen (seven). CIS typically recommends lengths of eight characters or more as does DISA. By my count, 21 of the 31 passwords in that list don’t meet basic password length constraints.
Complexity requirements for Windows Server 2003 are covered here, and are representative of most Windows platforms. In short, complexity requires three of the following five character categories: lowercase, uppercase, numeric, non-alphanumeric, and unicode. I don’t see a single password in Morto’s list that meets these requirements.
The major difference here, I think, is that Morto is looking at local user accounts, so you’ve got to ensure that your strong authentication policy applies to local accounts as well as domain accounts, and that your technical controls (complexity settings and others) follow suit.
I haven’t covered Remote Desktop settings, which is another mitigation against Morto. Let’s face it, RDP is useful (if not critical) in enterprise settings, and it seems to be that passwords are the gatekeeper if we want to leave RDP up and running. But, if you’re concerned about that, have a look at some of the CIS benchmarks for Windows platforms, and I think you’ll be happy that they have RDP covered as well.
One last thing about Morto… There’s a Tripwire Enterprise policy for that! Many Tripwire Enterprise policies are based on well-regarded standards including, but not limited to, CIS, DISA, and PCI. If you’re already running Tripwire Enterprise to continuously monitor your security configurations, then chances are you’re using a policy that has you covered.
If you’re interested in learning how to implement a layered security program, check out this new white paper by Brian Honan: Layered Security: Protecting Your Data in Today’s Threat Landscape.