New computer worm targets remote desktop users
A particularly virulent computer "worm" is attacking Windows computers using remote desktop connections, which allow the user to access a computer from afar.
The Morto worm tries a series of common administrator passwords to gain access to the machine. If it is successful, it sets itself up to get updates and to disrupt security applications on the machine, while waiting for orders to perform denial-of-service attacks.
The Duke University IT Security Office is alerting IT groups across campus and in the health system about this threat and taking steps to block the worm from getting back to the IP addresses where it gets its updates. If you have concerns that your machine is infected, please contact your local IT support or the OIT Service Desk immediately. To prevent infection in the first place, use these standard procedures:
1. Use a strong password. Morto tries only a small set of common (read: weak) administrator passwords looking for the quick, easy hit. Strong passwords are at least eight characters long, including upper-case and lower-case letters, numbers and other characters. For added security, try using a passphrase, rather than a password.
2. Run an up-to-date scanning and removal tool. Run the Microsoft malicious software removal tool (available through Windows Update), Malwarebytes (available from the Duke software downloads page), and an up-to-date antivirus solution (also available on the Duke software page).
3. Limit user privileges on the computer. Always operate your computer as a user, rather than as an administrator, unless absolutely necessary. Running as local administrator makes this worm's job much easier, because it is looking for administrator account access and because it installs itself using administrator rights.
4. Ensure that the firewall on your computer is enabled. Also, configure your firewall to allow RDP connections only from IP addresses you trust, like Duke IP addresses and VPN addresses. (Your IT support can help with this.)
For added security:
- Make sure your computer is fully patched, by running Windows or Microsoft Update
- Be careful about opening attachments and file transfers from sources you don't trust
- Be careful about clicking on links on webpages and email (TIP: hover your mouse pointer over a URL and see if the destination matches the one that is displayed in the email or on the webpage)
- Remember that Duke and other reputable organizations, like banks, will never ask you for account or password information via email.