A new worm called Morto has begun making the rounds on the Internet in the last couple of days, infecting machines via RDP (Remote Desktop Protocol). The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows.
Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003.
“In a new windows 2003 R2 server, I’m noticing every few minutes,
svshost.exe [sic] is opening a ton of outgoing TCP 3389 connections. I ran an
a/v scanner over it and it’s clean. Can it be hacked already??? has
anyone seen this before?,” one user asked in Microsoft’s TechNet forum.
On Sunday, the SANS Internet Storm Center reported a huge spike in RDP scans in the last few days, as infected systems have been scanning networks and remote machines for open RDP services. One of the actions that the Morto worm takes once it’s on a new machine is that it scans the local network for other PCs and servers to infect.
“A few weeks ago a diary posted by Dr. J pointed out a spike in port 3389 traffic.
Since then the sources have spiked ten fold. This is a key indicator
that there is an increase of infected hosts that are looking to exploit
open RDP services.” SANS handler Kevin Shortt said in a blog post.
Researchers at F-Secure said that Morto is the forst Internet worm to use RDP as an infection vector. Once it’s on a new machine and has successfully found another PC to infect, it starts trying a long list of possible passwords for the RDP service.
“Once a machine gets infected, the Morto worm
starts scanning the local network for machines that have Remote Desktop
Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port,” F-Secure Chief Research Officer Mikko Hypponen said in a blog post.
“Once you are connected to a remote system, you can access the drives of that server via Windows shares like tsclientc and tsclientd for drives C: and D:,
respectively. Monto uses this feature to copy itself to the target
machine. It does this by creating a temporary drive under letter A: and
copying a file called a.dll to it. The infection will create several new files on the system including windowssystem32sens32.dll and windowsoffline web pagescache.txt. Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net.”
It’s been quite a while since there was a
large-scale Internet worm attack. Once upon a time, worms such as
Blaster, Code Red and SQL Slammer were all the rage and found success
clogging networks with enormous amounts of scanning traffic and other
activity. But those kinds of events have become an anachronism as
attackers have turned the attention to for-profit attacks.
\tsclientc d etc are the connecting CLIENT not the server…
“Once it’s on a new machine and has successfully found another PC to
infect, it starts trying a long list of possible passwords for the RDP
service.”
So brute force password guessing is the only infection method?
There is no serious flaw in the M$ RDP server we need to know about?
Sounds as if picking passwords like: “$Tr{}||GP@$$^^()rd” and not “strongpassword” will protect your server from this worm.
Obvious vector is obvious: Weak passwords are weak.
Obvious vector is obvious: Weak passwords are weak.
Anyone using MOAC will have an issue getting in.. I’m a student and I have this problem…
How about a link that would actually be usefull to the average readers, Like a link to remove the infection..
Wow, everything old is new again.
An old fashioned brute force attack against networking protocols.
I expect M$FT will blame the users as usual, rather than admit that they, yet again, left services on that didn’t need to be on.
2001: IIS Internet Printing
2011: RDP
So, Scott Charney: how’re you doing on making things more secure by design? Maybe you need to quit trying to get an Obama cabinet position and actually do your damn job.
Idiot.
True. U have to enable RDP. The chain is never stronger than the weakest link…
Also so many sys admins leave RDP TCP port 3389 opened on the Internet, usually get a static public IP address and NAT on the router, with out restricting who can connect to it. I blame 50 – 50 M$ and lazy sys admins.
Change the listening port here
HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminalServerWinStationsRDP-TcpPortNumber
and notify your customers.
There’s nothing wrong with forwarding port 3389 AS LONG AS YOU HAVE A SECURE PASSWORD. What a bunch of morons. Have secure passwords and be done with it. We learnt this eons ago.
@jonny
Perhaps there is some confusion.
RDP is installed by default, but is not enabled until you actually go to your system properties and select “Allow remote connections…”
And you’re right, nobody would really waste that much time or anger…
@jonny
Perhaps there is some confusion.
RDP is installed by default, but is not enabled until you actually go to your system properties and select “Allow remote connections…”
And you’re right, nobody would really waste that much time or anger…
Firewall settings under category exceptions on a Desktop invariably being overlooked or ignored by a lazy and lousy Sys. Admin. and not turning OFF even these exceptions on their Laptops/Notebooks, during their ” otherwise ” busy travel schedules would certainly enable Other Connections to gain access to their machines .So whom to blame The User OR the Developer who constantly strives to update his design for a safe upkeep of the System ?
Wow. RDP is installed by default but 1. not listening for connections and 2. not open in the windows firewall. Turning it on enables both of these.
MS has nothing to do with your server admin using “123456789″ as a password.
@johnny
You wrote a lot of text for someone who’s wrong and further insulting. RDP access is not allowed by default on a ‘genuine Windows XP install’, period.
You wrote a long, erroneous rant.
This post is concerning a brute force cracking attempt by a virus against an option that must be enabled by the user. An out of the box Windows XP installation cannot be compromised.
hello everyone,
I don’t know nothing about what you’re talking about, just trying to protect my PCs.
So from what i understood (which is not much), if I am infected, there should be a a.dll file somewhere in my PC ?
If I can’t find it, then I am safe ? ( I did not find any)
I know this may sound stupid to you but well….I am not a computer person. I am just looking for an easy way to check if I have this problem. If you can also tell me where I should look to check if the remote desktop control is off on Vista, that would be just great.
Thanks a lot for your understanding and help
@NSSi
One thing that I believe that everyone should understand, when you buy a PC or notepook from Lenovoe, HP del …etc that is not an out of the box installation and it does in fact have RDP enabled. If you stick the XP or Win 7 DVD / CD into a brand new PC or Notebook that doesnt have an OS installed on it, RDP is not enabled. I think that is a big concern as well as a lazy sysadmin that doesnt enforce or use strong passwords
@Jonny – You must be a physician because they are the only people I know arrogant enough to bring their “God Complex” into an IT technical forum. 140 installs? Really? Is that supposed to be impressive? Go to school for a few years, build yourself an IT lab and practice crashing it and bringing it back to the point of crash in an hour or two at least 140 times and then come back and teach your “grandparents” how to suck eggs…
New Virus Spreading! It infects your computer when you share your SYSTEM directory with everyone group! lol@thisvirus and shame on any admin whose systems get infected.
Now My only worry is that it is smart enough to use cached AD credentials and use them against other machines in a domain? My systems wont be brute forced but if a day0 IE crack gets root on a machine and installs this, is it smart enough to propagate throught RDP to machines?
Sounds like another tool for building a more destructive threat.
In a completely clean Windows XP installation, Remote Assistance (which uses the RDP protocol) is enabled by default. Remote Desktop is not.
I have done somewhat more than the required 140 installations of Windows XP.
Silence
“Knowledge, sir, should be free to all.” – Harry Mudd
Symantec Security Response: http://www.symantec.com/security_response/writeup.jsp?docid=2011-082908-4116-99
What is a RDP? Is it a computer? I have an Apple.
This is really nothing new…there have been tools to do this for years. Thor made one of the first, someone just made a good password file.
OMG teh skY is FAlling!!11!
I noticed this brute force attack last week. I just closed the port to save the resources. My password is strong so I had no worries there but many don’t have strong passwords. Perhaps this will be a lesson to the lazy admins out there.
sorry bro, you’re wrong about \tsclientc etc
Sorry bro, you’re clueless.
How is that wrong? You tell the “server” you’re connected to connect to your (or an infected slave’s) \tsclientc and copy \tsclientcsome_file.ext to the “server.”
RDP was never turned on by default. Get your facts right. So yes, in this case MS is right to blame the users for using weak passwords.
“letmein”? Yah, serves them right.
“RDP was never turned on by default. Get your facts right. So yes, in
this case MS is right to blame the users for using weak passwords”
For 8 months, every Genuine Windows installation I’ve attempted has had RDP switched on by default.
I’ve installed Windows XP, all variants of 7, WS2008, WS2011 (same thing?) – maybe 140 times all up. Every single one except the Windows Server installs had RDP turned on by default. I’ve installed onto zero-filled systems, with all electronics in my apartment unplugged / powered down, I’ve installed onto multiple brand new systems inside the stores where they were purchased with only FreeDOS OS underneath, once I worked out my smart phone was too smart for me and had thousands of autorun looped processes running non-stop (HTC Desire HD), I got rid of it and have tried again hooking up Intel ATOM processors with Intel SSDs (out of the box, inside the stores) and installed Genuine Windows 7. RDP was activated by default, and it wasn’t the most concerning aspect (by a long way). I have some ‘experience’ in knowing what to look for, and hidden RAS functionality, hidden miniports, hidden WinMail executables, hidden Word/Excel macros, hidden IE4 “Active Setup” temp files general have me horrified before I ever get around to caring about RDP being activated by default along with 200 default Windows firewall rules all set to Allow and active 40 min before I get a chance to even SET a password.
Obviously I’ve tried Linux distributions which are corrupted during install (of course, just like Windows is, but then Windows doesn’t show the user the installation process – so I can’t see virtual Bluetooth / RF drivers being installed anywhere from 1-50 mins into Windows installation – but they are there long before Windows checks my “video performance”, sets up my desktop “for the first time” and warns me about getting some anti-virus protection from a Microsoft partner, for my already-infected 1-hour-old new system – and it’s hidden subsystems which redefine “persistence” as I’m yet to find any utility or method which can delete 500,000 hidden files which are installed by Genuine Windows.
Yeah obviously I hardly know squat about this stuff, as it’s not all that fascinating (no offence) – but it’s pretty offensive when 8 months of experts I hire all know less than I do and idiotically say everything is fine and normal. Lately, I’ve been wondering about whether they’re not, in fact, telling the truth – at least in regards to the latter. As to the former? Well I’m learning about Xen now, after hearing about it for the first time via one of my systems which has it installed – maybe things will be “fine” one day again. But Mr ‘Defaults’ Expert Microsoft Volunteer, cease and desist with the brazen lying. Even Microsoft can’t agree with their own employees on defaults for Win7 system environmental variables or something as ridiculous as which .NET Frameworks are ‘native’ to the OS. I personally think Aaron Stebner’s ad hoc utilities shouldn’t be the FINAL SOLUTION for removing rogue .NET (who cares what is native, when native is malicious) from Windows as they remove nothing / zero / zilch (not even the thousands of registry entries and files they were..N’T able touch) but then I think a lot of things.
Lately I’ve been thinking about how people who prevent me from doing stuff like deleting .NET Frameworks – “for my benefit” – need to be introduced to a friendly guillotine. If I mistakenly delete .NET when I don’t need it, the next utility that does will install it for me. I will be ‘devastated’, for 50 seconds of download time. But Microsoft is looking out for me. So no go. I must endure the vile.
But right now, I’m thinking speed-reading sucks fml, and that you should zip your face, about pretending to have a clue when spreading disinformation. Fake names > Anonymous. No one except perhaps me, is stupid enough to waste this much time replying to Anonymous.
Please see http://xkcd.com/936/ about password strength… get rid of the damn s/f€p@ssw0rD myth
@Jonny,
You should stop touching other people’s computers immediately.
@jonny
You’re doing it wrong. Paranoia and a little knowledge of Windows does not an INFOSEC pro make. And yes, I said little. You seem to have skipped the basics of security, my friend…
Nothing you need worry about. Although Apple has it’s own vulnerabilities this is not one of them.
RDP – Remote Desktop Protocol, used by Windows computers for remote access/control.
Trying to be helpful (newbies should always ask questions!) google is your friend, even when an acronym comes up you don’t know. Develop the habit of checking there first, then ask if it’s not clear.
He may work at some school’s IT dept. and they use prefab images to install. I’ve worked for years in enterprise and we do the same thing. If this is the only way he knows how to install Windows, he may assume that’s correct.
For the record, RDP is off by default in all version of Windows. I’ve forgotten to turn it on and/or open the port in Windows Firewall and/or disable Windows Firewall enough times to know without question.
i stopped reading when i said that Windows 7 comes with RDP switched ON by default.. clearly you are misleading. please rethink what you posted.