John Brosnan, CEO of NetFort comments: Malicious worms historically targeted systems that were running software containing some flaw in the system logic, such as a buffer overflow. The Morto worm is different in that it targets systems that are vulnerable because of weak administrator passwords such as letmein or password.
Although the worm does not seem to have caused widespread damage, it is still rated as a severe threat by Microsoft, and organisations should take action to protect themselves. The Morto worm also shuts down security applications running locally, which will leave the network even more vulnerable to other kinds of attack.
Consequently, NetFort recommends three main steps to prevent Morto from causing harm:
- Every account should have a password, ideally with a minimum length of 16 characters including enforced complexity rules
- If you have to enable RDP access to a system on your network, ensure that the firewall rule enabling this access is specific to an IP address or at worst a particular subnet. Firewall rules should be continuously monitored so that if the need for the rule is deprecated the rule is removed
- Monitor your network so that you can detect if hosts on your network are infected and more importantly to identity how infected systems are coming on to your network
By following these steps businesses can not only avoid having passwords hacked and computers becoming infected but also ensure that company PCs are not used to launch denial of service attacks.