Morto: Another reason to secure local user accounts

Last updated at Tue, 26 Sep 2017 18:52:07 GMT

A worm abusing the Remote Desktop service is making the rounds, currently named Morto. This worm gains access by trying a small number of weak passwords for the local Administrator account. After compromising the server, the worm propogates using mapped shares and provides remote access to the worm's creator. Most public reports involve Morto gaining access to internet-facing servers, however it is likely that once Morto is behind a firewall, it can propogate to other local systems.

Fortunately, Metasploit (Framework, Express, and Pro) provide an easy way to test for weak passwords on the local Administrator account. The Metasploit Framework provides the smb_login module, which accepts a USERPASS_FILE option for accounts to test. This module can be used to quickly sweep your network for machines that Morto can gain access to. The usage for the Metasploit Framework is below.

First grab a copy of the USERPASS_FILE that corresponds to the username and password combinations that Morto tries. This is a simple text file containing the username followed by a space and then the password, one per line. You can download a copy of this file from HERE (save it to disk).

Now that the file has been saved to disk, start your copy of the Metasploit Framework, preferably via the Metasploit Console (msfconsole).

$ msfconsole

Once the console has loaded, select the smb_login module and configure the USERPASS_FILE option.

msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > set USERPASS_FILE /tmp/morto.txt

Now set the target range (RHOSTS) and increase the thread count (THREADS) to make things run smoothly. Disabling verbose output also makes the resulting output much more readable.

msf auxiliary(smb_login) > set RHOSTS 192.168.0.0/24
msf auxiliary(smb_login) > set THREADS 128
msf auxiliary(smb_login) > set VERBOSE false

Finally, let this module run and watch the output for successful logins. Any machine found vulnerable that has Remote Desktop exposed could become easy prey for this worm.

msf auxiliary(smb_login) > run
[*] Scanned 026 of 256 hosts (010% complete)

[ ] 192.168.0.141:445|WORKGROUP - SUCCESSFUL LOGIN (Windows 5.1) 'Administrator' : 'admin'

[*] Scanned 125 of 256 hosts (048% complete)

[*] Scanned 127 of 256 hosts (049% complete)

[*] Scanned 142 of 256 hosts (055% complete)

[*] Scanned 157 of 256 hosts (061% complete)

[*] Scanned 256 of 256 hosts (100% complete)

[*] Auxiliary module execution completed

Metasploit Express and Metasploit Pro users can do the exact same thing via the Modules tab or via the Metasploit Pro Console. There is an easier way, however, especially if you already have an active project. Login to the user interface, select a project containing recent scan data, choose Bruteforce, check only the SMB protocol, and select "Known only" as the depth. Expand the Advanced Options screen and paste the contents of the morto.txt file into the Additional Credentials field, then click Launch Bruteforce. Not only will this identify vulnerable systems, but it will return sessions on each system.

-HD