Worm spreads via RDP It’s retro day in the world of Internet security, with an Internet worm dubbed “Morto” spreading via the Windows Remote Desktop Protocol (RDP). F-Secure is reporting that the worm is behind a spike in traffic on Port 3389/TCP. Once it’s entered a network, the worm starts scanning for machines that have RDP enabled. Vulnerable …
Um, no it's not enabled by default. You need to manually enable it or it's set via a GPO. In addition firewalls will obviously stop it.
However if you read the article on F-Secure you'll realise that it tries to logon as "Administrator" and guesses from a password list of 30. (admin, letmein, 12345, password etc.). For a start they (of the vast majority) won't work on Windows 2008 as it enforces the default admin to have a "complex" password.
So you'll need a Windows 2000/2003 Server or Windows 2000/XP machine with no hardware firewall (or have port 3389 open) where the admin has a shit password and has manually enabled Remote Desktop.
Fuck em - if this catches these 'admins' out then they deserve it
Remote Desktop is NEVER enabled by default, and never has been.
On client versions of windows you have to go to system properties > remote > enable remote access (and then it forces you to make sure your password is secure, meeting the server 2008 password guidelines).
On server versions, it must be enabled via server manager. Note that some automated server 2008 R2 installs are configured to have it enabled by default, but this requires whoever runs the install to roll their own system image - by no means "standard".
One thing this article fails to mention is whether this is actually a bug/vulnerability in RDP (which I seriously doubt) or whether it is a case of one machine getting exploited (by having weak passwords) and then that machine exploiting others by bruteforcing RDP. Both cases are able to be easily mitigated by having secure passwords, throttling - or better yet, change the RDP port.
Not to rain a good rant, but RDP is NOT enabled by default.
While turning off unnecessary services is always a good idea to reduce your exposure to attack, and I certainly encourage anybody who doesn't need it to turn it off, another way to prevent your machines from being infected by this worm is to be current in your patches. This particular hole was patched in MS11-065, which was released weeks ago.
Why? What are we men, or mice? I use RDP all the time to access the computers on my home network, some of which haven't got monitors anymore. I am not going to turn that off because of some worm.
Besides it doesn't sound like RDP itself is at fault, but rather weak passwords are the way that it gains access. So anyone with half a brain should be safe anyway right?
Besides, I use Linux.
There is actually an RDP server package for linux, I think it's called x11rdp or xrdp (by server package, I mean server side package, so client in x11 terms.) It's pretty useful if you have lots of windows and a couple of linux boxes as it saves you installing an X11 server on your workstation.
Sorry I didn't make that clear, I use RDP from my Linux laptop to control the Windows PCs on the network. I have tried VNC before, but that means installing it on every Windows PC, whereas RDP is built in by default on the Windows Media Center 2005 and Windows 7 PCs that I have, and so is effortless and works really well. FreeRDP is also installed by default on the Linux distribution I use.
I have had to use VNC on Windows XP Home computers in the past, and it was annoying to setup and wasn't as quick, nor did it looks as good as RDP.
Tut tut El reg, after reading your story I thought there was a vunerbility in RDP... Lucky I went and checked with the source.
All this worm does is scan for RDP servers on the default port, and then try a small set of easy passwords on the admin account.
...that a worm can spread via an admin login using such a pathetic list of passwords. It is tempting to conclude that anyone with unprotected RDP, enabled local Administrator account, and a password for that account that's on that list, deserves what they get. "Why bother?" asks the article. To make the above point, perhaps?
XP Home has a terminal services service which is used when you share your desktop with a "helper" who is fixing your computer. However this isn't vulnerable to the attack here.
For the attack here to work you have to have enabled remote connections in system properties and you have to be using one of the stupid passwords in the list for your administrator account. You also have to either already have the work on your network or you have to have the RDP port open to the Internet.
XP Home and likewise the Home editions of Win 7 (and I assume Vista) have Remote Assistance. It's RDP but without an open server. You have to specifically go in and make a request for assistance to someone who then gets access (done via Messenger I believe, but underlying protocol is RDP). Somewhat more secure as it's based on a dedicated request and involves a key exchange underneath as I understand it. Can't even attack a temporarily enabled session and guess passwords.
.......that uses "companyname123*" as it's default password for all 300 users and will not let them change it, you cannot just write things like this off as "A secure password is all that's needed" lol, because regardless of the fact that may be true, there are thousands upon thousands of desktop machines out there with utter tripe passwords, both corporate and personal, with crap passwords, some of which are enforced by the sysadmins themselves!
Hmmm, are you the same Elmer Phud that, in the RSA thread, was clamoring end users should be summarily executed (after being quartered, tarred & feathered) for opening a phishing email?
a) Why are you telling us what your passwords look like?
b) Choosing passwords from a set of profanity lookalikes? You think that is totally original? Would you be willing to bet that no sample of your brilliant wit would be found in a dictionary of 100K (not 30) passwords?
Paris, cuz, well...
Can anyone shed some light into how logging works for RDP on Windows 7?
On my home computer, I have enabled RDP, but only allowing connections from computers running with Network Level Authentication.
In Event View I can find entries under "Applications and Service logs - Microsoft - Windows - TerminalServices RemoteConnectionManager - Operational.
But the entries are only "Listener RDP-Tcp received a connection".
I would like to know: From where did the connection come from, which username were supplied, etc
Anyone?
Have a look for event ID 1149 also check the security log for event 4624
If you have network level authentication enabled then I don't think you are vulnerable to this worm. Also I doubt that a standard install of Vista or 7 is vulnerable because you can't log in as Administrator on those computers.
MS say Remote Desktop isn't installable on XP Home and looking on the web the only way to install it on pre-SP3 versions is to hack the registry to fool Windows into believing it's XP Pro which is of course a breach of the EULA. Are you sure it's not just the RDP client that's installed?
Those knocking Windows for this are a bunch of Hamptons (the planks that drive 4x4's and think they know everything). RDP is off by default (Morteus, perhaps you should slipstream a service pack or three into your source).
First things first, the Administrator account should be disabled by default (after first creating a new superuser). Secondly, password complexity should be a given. Lastly, RDP should be shut to the outside world, but open to localsubnet and using NLA where appropriate.
Anyone getting pwned by this deserves it and it'll give us more work when they're outed to be the incompetent baffoons that they are.
Now back to the real world.. here in the UK the Police sped their time putting signs up in car parks saying stupid things like "don't advertise to criminals" and "check you locked your doors.."
Personally I would prefer it if they put up signs saying "Don't Steal".
So now in this country it's your own fault if you are a victim. And that acting on opportunities as they arise is just good business. whether that is taking a phone from the end of a table.. or registering amywinehousefoundation.com - Just business, and they wonder why the kids went looting!!
those shops shouldn't have left valuables on display!
Your analogy doesn't stack up.
It's the admins' fault and they deserve to get pwned.
The company they're responsible for OTOH, doesn't deserve it (apart from the fact they possibly scrimped on their IT budget and got lamers).
But the admins' deserve red hot pokers mate. In my mind they're 'criminally' incompetent and certainly grossly negligent.
Your analogy for this example would be, the old lady who hired a bodyguard who was sleeping while she was robbed.
Seen port scans and logon attempts for years. I can't remember how many times I have seen these logon attempts. Good passwords prevent this. Also moving internet accessible servers (stuff like SBS) away from the default port stops this kind if "attack". Anyone who gets hacked by this deserves all they get :)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
