Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: More RDP Worm Variants? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More RDP Worm Variants?

With the release of the "Morto" worm last month [1], more attention is being paid to malware scanning for RDP . Today, we had a reader report a possible new version of the Win32/Morto RDP brute forcing worm. The worm was not detected by Anti-Virus, and does not appear to use c:Windows\temp\scvhosts.exe like Morto did. The network traffic appears to be similar to Morto in that it makes many connections from the same source port to the RDP port *3389/tcp. So far, the user was not able to identify the process opening the connections.

Please let us know if you find similar scans and if you are able to identify the process/malware causing it.

[1] http://isc.sans.edu/diary.html?storyid=11470

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Jose 2019

Johannes

3580 Posts
ISC Handler
No chance of sharing C&C names/IPs?
DomMcIntyreDeVitto

40 Posts
I'll try again:
Can anyone shed some light into how logging works for RDP on Windows 7?

On my home computer, I have enabled RDP, but only allowing connections from computers running with Network Level Authentication.

In Event View I can find entries under "Applications and Service logs - Microsoft - Windows - TerminalServices RemoteConnectionManager - Operational.

But the entries are only "Listener RDP-Tcp received a connection".

I would like to know: From where did the connection come from, which username were supplied, etc

Anyone?
Erik

5 Posts
E,
They're in the security log-- they're not differentiated by category; they are logon events with a different "Type" that is spelled out in the description field. Google "RDP Security Log" (no quotes) and you'll find an explanation pretty quickly.
Anonymous
The FREE HoneyPoint tool we released for the original version of Morto continues to help folks identify scanning/infected hosts of this variant as well as other RDP exploit tools. Here is a link to more information: http://bit.ly/oGEkPj
Anonymous

Sign Up for Free or Log In to start participating in the conversation!