back to article Worm spreads via RDP

It’s retro day in the world of Internet security, with an Internet worm dubbed “Morto” spreading via the Windows Remote Desktop Protocol (RDP). F-Secure is reporting that the worm is behind a spike in traffic on Port 3389/TCP. Once it’s entered a network, the worm starts scanning for machines that have RDP enabled. Vulnerable …

COMMENTS

This topic is closed for new posts.
  1. J 3
    Happy

    Morto?

    Means "dead" in Portuguese and Italian, hopefully it has nothing to do with the payload...

  2. martin 62
    FAIL

    disable RDP

    The way to stop your pc being infected is to disable RDP which will stop the attack. The problem is that RDP is enabled by default in windows ( why?) and many non technological people realise that is is even turned on ( or that it even exists)

    1. The Original Steve
      FAIL

      Huh?!

      Um, no it's not enabled by default. You need to manually enable it or it's set via a GPO. In addition firewalls will obviously stop it.

      However if you read the article on F-Secure you'll realise that it tries to logon as "Administrator" and guesses from a password list of 30. (admin, letmein, 12345, password etc.). For a start they (of the vast majority) won't work on Windows 2008 as it enforces the default admin to have a "complex" password.

      So you'll need a Windows 2000/2003 Server or Windows 2000/XP machine with no hardware firewall (or have port 3389 open) where the admin has a shit password and has manually enabled Remote Desktop.

      Fuck em - if this catches these 'admins' out then they deserve it

      1. jpj
        Angel

        Bit harsh!

        At least if the admins are home users.

        Anyway, I'd add this to the list of things to do to prevent attacks like these:

        - Rename the Administrator account.

    2. Anomalous Cowturd
      Linux

      Haven't we heard this before?

      Access enabling services, enabled by default. Then subverted...

      Some people (yes, Microsoft, I'm looking at you!) never learn... Even after numerous "warnings"...

      Obvious icon ^_^

    3. Neoc

      Re: Disable RDP

      Why? I think you answered your own question: The people who would most likely need Remote help are most probably the ones least likely to be able to follow instructions on how to turn on RDP.

      Sad but true. (7yrs on help-desk makes you believe the worst of the end user)

    4. Vigilante
      WTF?

      Wrong...

      Remote Desktop is NEVER enabled by default, and never has been.

      On client versions of windows you have to go to system properties > remote > enable remote access (and then it forces you to make sure your password is secure, meeting the server 2008 password guidelines).

      On server versions, it must be enabled via server manager. Note that some automated server 2008 R2 installs are configured to have it enabled by default, but this requires whoever runs the install to roll their own system image - by no means "standard".

      One thing this article fails to mention is whether this is actually a bug/vulnerability in RDP (which I seriously doubt) or whether it is a case of one machine getting exploited (by having weak passwords) and then that machine exploiting others by bruteforcing RDP. Both cases are able to be easily mitigated by having secure passwords, throttling - or better yet, change the RDP port.

    5. Donn Bly
      FAIL

      @martin 62

      Not to rain a good rant, but RDP is NOT enabled by default.

      While turning off unnecessary services is always a good idea to reduce your exposure to attack, and I certainly encourage anybody who doesn't need it to turn it off, another way to prevent your machines from being infected by this worm is to be current in your patches. This particular hole was patched in MS11-065, which was released weeks ago.

    6. Anonymous Coward
      Anonymous Coward

      Don't think so

      RDP is disabled by default

      1. Not That Andrew
        FAIL

        Do some research, you morons.

        I dunno about XP SP3, but XP SP2 and earlier have RPC enabled by default.

        1. xenny

          That beam in your eye....

          RPC is indeed enabled by default, but the vector is RDP, which is disabled by default. :-P

        2. Jason Terando
          Facepalm

          RPC != RDP

          RPC = Remote Procedure Call service

          RDP = Remote Desktop Protocol service

          Research done for you, Genius

        3. Anonymous Coward
          FAIL

          re: Do some research

          "I dunno about XP SP3."

          Ironic that. Not to mention the rpc<>rdp fail.

    7. Connor
      Linux

      Turn off RDP?

      Why? What are we men, or mice? I use RDP all the time to access the computers on my home network, some of which haven't got monitors anymore. I am not going to turn that off because of some worm.

      Besides it doesn't sound like RDP itself is at fault, but rather weak passwords are the way that it gains access. So anyone with half a brain should be safe anyway right?

      Besides, I use Linux.

      1. Mad Hacker
        Headmaster

        You use Linux but you use RDP?

        If you use Linux as you say it would make more sense for you to use VNC. If you do use RDP as you also say, I would argue you use Windows.

        1. Anonymous Coward
          Anonymous Coward

          @Mad Hacker

          There is actually an RDP server package for linux, I think it's called x11rdp or xrdp (by server package, I mean server side package, so client in x11 terms.) It's pretty useful if you have lots of windows and a couple of linux boxes as it saves you installing an X11 server on your workstation.

        2. Connor

          @Mad Hacker

          Sorry I didn't make that clear, I use RDP from my Linux laptop to control the Windows PCs on the network. I have tried VNC before, but that means installing it on every Windows PC, whereas RDP is built in by default on the Windows Media Center 2005 and Windows 7 PCs that I have, and so is effortless and works really well. FreeRDP is also installed by default on the Linux distribution I use.

          I have had to use VNC on Windows XP Home computers in the past, and it was annoying to setup and wasn't as quick, nor did it looks as good as RDP.

  3. Sp1tf1r3
    Go

    No vulnerability...

    A strong password is all that is needed to prevent the attack, RDP is NOT on by default either. The passwords the bot tries are very very simple....

  4. Steve Evans

    Is this the Daily Mail? Don't believe the hype.

    Tut tut El reg, after reading your story I thought there was a vunerbility in RDP... Lucky I went and checked with the source.

    All this worm does is scan for RDP servers on the default port, and then try a small set of easy passwords on the admin account.

  5. Paul 87

    hmmm

    You know, this sounds like a BOFH tool for catching out the idiots who bypass the password policies

  6. crediblywitless

    Depressing...

    ...that a worm can spread via an admin login using such a pathetic list of passwords. It is tempting to conclude that anyone with unprotected RDP, enabled local Administrator account, and a password for that account that's on that list, deserves what they get. "Why bother?" asks the article. To make the above point, perhaps?

  7. Morteus
    FAIL

    I dunno about that...

    I've done two fresh install of XP home ed. in the past month and BOTH of them had RDP enabled by default.

    1. Fuzz

      XP Home has no RDP

      XP Home has a terminal services service which is used when you share your desktop with a "helper" who is fixing your computer. However this isn't vulnerable to the attack here.

      For the attack here to work you have to have enabled remote connections in system properties and you have to be using one of the stupid passwords in the list for your administrator account. You also have to either already have the work on your network or you have to have the RDP port open to the Internet.

    2. Anonymous Coward
      Anonymous Coward

      Err...

      I was under the impression that XP home didn't have any remote desktop services.

    3. Anonymous Coward
      FAIL

      You're an embarassment

      XP Home doesn't even have an RDP server let alone enable it by default.

      1. Bod

        Remote Assistance

        XP Home and likewise the Home editions of Win 7 (and I assume Vista) have Remote Assistance. It's RDP but without an open server. You have to specifically go in and make a request for assistance to someone who then gets access (done via Messenger I believe, but underlying protocol is RDP). Somewhat more secure as it's based on a dedicated request and involves a key exchange underneath as I understand it. Can't even attack a temporarily enabled session and guess passwords.

    4. Brian
      WTF?

      RDP not supported on XP home.

      Remote Desktop isn't supported by XP Home edition.

  8. Hollow
    Megaphone

    Until you've worked somewhere..........

    .......that uses "companyname123*" as it's default password for all 300 users and will not let them change it, you cannot just write things like this off as "A secure password is all that's needed" lol, because regardless of the fact that may be true, there are thousands upon thousands of desktop machines out there with utter tripe passwords, both corporate and personal, with crap passwords, some of which are enforced by the sysadmins themselves!

    1. Elmer Phud
      Boffin

      passwords

      Even 'pa55w0rd' is too difficult for some.

      I got told off for using 'b0l10ck5' - and that was after I had to explain it to my manager, ffs.

      (he took a while over 'phuq0rft' as well).

      1. Jean-Luc
        Facepalm

        @passwords

        Hmmm, are you the same Elmer Phud that, in the RSA thread, was clamoring end users should be summarily executed (after being quartered, tarred & feathered) for opening a phishing email?

        a) Why are you telling us what your passwords look like?

        b) Choosing passwords from a set of profanity lookalikes? You think that is totally original? Would you be willing to bet that no sample of your brilliant wit would be found in a dictionary of 100K (not 30) passwords?

        Paris, cuz, well...

    2. Anonymous Coward
      Anonymous Coward

      Err...

      That's hardly the fault of the software though, is it?

  9. Anonymous Coward
    Anonymous Coward

    Logging

    Can anyone shed some light into how logging works for RDP on Windows 7?

    On my home computer, I have enabled RDP, but only allowing connections from computers running with Network Level Authentication.

    In Event View I can find entries under "Applications and Service logs - Microsoft - Windows - TerminalServices RemoteConnectionManager - Operational.

    But the entries are only "Listener RDP-Tcp received a connection".

    I would like to know: From where did the connection come from, which username were supplied, etc

    Anyone?

    1. Fuzz

      should be there

      Have a look for event ID 1149 also check the security log for event 4624

      If you have network level authentication enabled then I don't think you are vulnerable to this worm. Also I doubt that a standard install of Vista or 7 is vulnerable because you can't log in as Administrator on those computers.

  10. Anonymous Coward
    Boffin

    Winblows

    "Windows servers and workstations are vulnerable."

    ...so everyone who has stepped out of the dark ages will be fine!

    1. Tchou
      Flame

      You mean...

      ...the 10% of the market who use another OS than Windows, from wich 0,1% are tech savyy, from wich 0.1% suckers thinks of themselves as "so brilliant everyone else is still in the Dark Ages"?

      1. Anonymous Coward
        Anonymous Coward

        wait...

        There's such a thing a non tech savvy Linux user?

  11. Roger 11
    WTF?

    Unabled by default?

    is it possible that it's enable by default on XP but not on Vista and Win7? It seems to me that when I do a XP install, I always have to disabled it.

  12. Pondule

    @Morteus

    MS say Remote Desktop isn't installable on XP Home and looking on the web the only way to install it on pre-SP3 versions is to hack the registry to fool Windows into believing it's XP Pro which is of course a breach of the EULA. Are you sure it's not just the RDP client that's installed?

  13. b166er

    noobs

    Those knocking Windows for this are a bunch of Hamptons (the planks that drive 4x4's and think they know everything). RDP is off by default (Morteus, perhaps you should slipstream a service pack or three into your source).

    First things first, the Administrator account should be disabled by default (after first creating a new superuser). Secondly, password complexity should be a given. Lastly, RDP should be shut to the outside world, but open to localsubnet and using NLA where appropriate.

    Anyone getting pwned by this deserves it and it'll give us more work when they're outed to be the incompetent baffoons that they are.

    1. John 179

      Deserve?

      Quite a few talking about how sloppy admins 'deserve' to get hacked. That's like saying that an old lady who forgot to close her purse 'deserves' to get robbed.

      Come on guys, let us not forget who is the criminal in all of this.

      Instead of cursing the dark, light a candle.

      1. Anonymous Coward
        Thumb Up

        Bravo for the sentiment.

        Now back to the real world.. here in the UK the Police sped their time putting signs up in car parks saying stupid things like "don't advertise to criminals" and "check you locked your doors.."

        Personally I would prefer it if they put up signs saying "Don't Steal".

        So now in this country it's your own fault if you are a victim. And that acting on opportunities as they arise is just good business. whether that is taking a phone from the end of a table.. or registering amywinehousefoundation.com - Just business, and they wonder why the kids went looting!!

        those shops shouldn't have left valuables on display!

  14. Morteus
    Coat

    My Bad...

    ... I was thinking of The Remote Assistance - 'nuff said!

  15. Anonymous Coward
    IT Angle

    Remote Regitsrty

    If you have used a sloppy password and the remote registry service is running, you could simple turn RDP back on.

  16. b166er

    No John

    Your analogy doesn't stack up.

    It's the admins' fault and they deserve to get pwned.

    The company they're responsible for OTOH, doesn't deserve it (apart from the fact they possibly scrimped on their IT budget and got lamers).

    But the admins' deserve red hot pokers mate. In my mind they're 'criminally' incompetent and certainly grossly negligent.

    Your analogy for this example would be, the old lady who hired a bodyguard who was sleeping while she was robbed.

  17. Anonymous Coward
    Facepalm

    "hack" attempts going on for years

    Seen port scans and logon attempts for years. I can't remember how many times I have seen these logon attempts. Good passwords prevent this. Also moving internet accessible servers (stuff like SBS) away from the default port stops this kind if "attack". Anyone who gets hacked by this deserves all they get :)

This topic is closed for new posts.

Other stories you might like