Morto Worm
the_Grinch
Member Posts: 4,165 ■■■■■■■■■■
So, I am sure some of you have seen this thing in your various environments. Currently, we've had one customer get infected. Now I am worried about the rest and want to suggest to management that we take some steps to stop the worm before it starts. In the various material I reviewed in regards to the worm, Trend stated that they were blocking the sites it uses to download it's payload. Microsoft listed the urls that are used for this, so I figure that if we add those entries into the various web filters we should be good to go (obviously, more needs to be done to address the overall reasons for the infection in the first place). Is my thinking correct in this case? Can we just update the various filters to automatically block connections to the eight sites it uses to get it's payload/updates?
WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
Comments
-
RTmarc
Member Posts: 1,082 ■■■□□□□□□□
Remove simple passwords and block access to/from the listed IPs/domains.
done. -
ipSpace
Member Posts: 147
Enable logging so you can see exactly what PCs are trying to reach those IPs/URLs thus finding and killing the worm much quicker.
My Network & Security Blog with a focus on Fortigate. New post on how to create a fortigate ssl vpn. -
SephStorm
Member Posts: 1,731 ■■■■■■■□□□
Whats a worm?
No seriously, i've never heard of it. (this worm) -
the_Grinch
Member Posts: 4,165 ■■■■■■■■■■
Encyclopedia entry: Worm:Win32/Morto.A - Learn more about malware - Microsoft Malware Protection Center
Little light reading for you
It's actually pretty cool.... WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff