Worm spreads via RDP
It’s retro day in the world of Internet security, with an Internet worm dubbed “Morto” spreading via the Windows Remote Desktop Protocol (RDP). F-Secure is reporting that the worm is behind a spike in traffic on Port 3389/TCP. Once it’s entered a network, the worm starts scanning for machines that have RDP enabled. Vulnerable …
Means "dead" in Portuguese and Italian, hopefully it has nothing to do with the payload...
The way to stop your pc being infected is to disable RDP which will stop the attack. The problem is that RDP is enabled by default in windows ( why?) and many non technological people realise that is is even turned on ( or that it even exists)
Um, no it's not enabled by default. You need to manually enable it or it's set via a GPO. In addition firewalls will obviously stop it.
However if you read the article on F-Secure you'll realise that it tries to logon as "Administrator" and guesses from a password list of 30. (admin, letmein, 12345, password etc.). For a start they (of the vast majority) won't work on Windows 2008 as it enforces the default admin to have a "complex" password.
So you'll need a Windows 2000/2003 Server or Windows 2000/XP machine with no hardware firewall (or have port 3389 open) where the admin has a shit password and has manually enabled Remote Desktop.
Fuck em - if this catches these 'admins' out then they deserve it
Access enabling services, enabled by default. Then subverted...
Some people (yes, Microsoft, I'm looking at you!) never learn... Even after numerous "warnings"...
Obvious icon ^_^
Why? I think you answered your own question: The people who would most likely need Remote help are most probably the ones least likely to be able to follow instructions on how to turn on RDP.
Sad but true. (7yrs on help-desk makes you believe the worst of the end user)
Remote Desktop is NEVER enabled by default, and never has been.
On client versions of windows you have to go to system properties > remote > enable remote access (and then it forces you to make sure your password is secure, meeting the server 2008 password guidelines).
On server versions, it must be enabled via server manager. Note that some automated server 2008 R2 installs are configured to have it enabled by default, but this requires whoever runs the install to roll their own system image - by no means "standard".
One thing this article fails to mention is whether this is actually a bug/vulnerability in RDP (which I seriously doubt) or whether it is a case of one machine getting exploited (by having weak passwords) and then that machine exploiting others by bruteforcing RDP. Both cases are able to be easily mitigated by having secure passwords, throttling - or better yet, change the RDP port.
Not to rain a good rant, but RDP is NOT enabled by default.
While turning off unnecessary services is always a good idea to reduce your exposure to attack, and I certainly encourage anybody who doesn't need it to turn it off, another way to prevent your machines from being infected by this worm is to be current in your patches. This particular hole was patched in MS11-065, which was released weeks ago.
I dunno about XP SP3, but XP SP2 and earlier have RPC enabled by default.
Why? What are we men, or mice? I use RDP all the time to access the computers on my home network, some of which haven't got monitors anymore. I am not going to turn that off because of some worm.
Besides it doesn't sound like RDP itself is at fault, but rather weak passwords are the way that it gains access. So anyone with half a brain should be safe anyway right?
Besides, I use Linux.
If you use Linux as you say it would make more sense for you to use VNC. If you do use RDP as you also say, I would argue you use Windows.
RPC is indeed enabled by default, but the vector is RDP, which is disabled by default. :-P
There is actually an RDP server package for linux, I think it's called x11rdp or xrdp (by server package, I mean server side package, so client in x11 terms.) It's pretty useful if you have lots of windows and a couple of linux boxes as it saves you installing an X11 server on your workstation.
RPC = Remote Procedure Call service
RDP = Remote Desktop Protocol service
Research done for you, Genius
Sorry I didn't make that clear, I use RDP from my Linux laptop to control the Windows PCs on the network. I have tried VNC before, but that means installing it on every Windows PC, whereas RDP is built in by default on the Windows Media Center 2005 and Windows 7 PCs that I have, and so is effortless and works really well. FreeRDP is also installed by default on the Linux distribution I use.
I have had to use VNC on Windows XP Home computers in the past, and it was annoying to setup and wasn't as quick, nor did it looks as good as RDP.
At least if the admins are home users.
Anyway, I'd add this to the list of things to do to prevent attacks like these:
- Rename the Administrator account.
"I dunno about XP SP3."
Ironic that. Not to mention the rpc<>rdp fail.
A strong password is all that is needed to prevent the attack, RDP is NOT on by default either. The passwords the bot tries are very very simple....
Tut tut El reg, after reading your story I thought there was a vunerbility in RDP... Lucky I went and checked with the source.
All this worm does is scan for RDP servers on the default port, and then try a small set of easy passwords on the admin account.
You know, this sounds like a BOFH tool for catching out the idiots who bypass the password policies
...that a worm can spread via an admin login using such a pathetic list of passwords. It is tempting to conclude that anyone with unprotected RDP, enabled local Administrator account, and a password for that account that's on that list, deserves what they get. "Why bother?" asks the article. To make the above point, perhaps?
I've done two fresh install of XP home ed. in the past month and BOTH of them had RDP enabled by default.
XP Home has a terminal services service which is used when you share your desktop with a "helper" who is fixing your computer. However this isn't vulnerable to the attack here.
For the attack here to work you have to have enabled remote connections in system properties and you have to be using one of the stupid passwords in the list for your administrator account. You also have to either already have the work on your network or you have to have the RDP port open to the Internet.
I was under the impression that XP home didn't have any remote desktop services.
Remote Desktop isn't supported by XP Home edition.
XP Home doesn't even have an RDP server let alone enable it by default.
XP Home and likewise the Home editions of Win 7 (and I assume Vista) have Remote Assistance. It's RDP but without an open server. You have to specifically go in and make a request for assistance to someone who then gets access (done via Messenger I believe, but underlying protocol is RDP). Somewhat more secure as it's based on a dedicated request and involves a key exchange underneath as I understand it. Can't even attack a temporarily enabled session and guess passwords.
.......that uses "companyname123*" as it's default password for all 300 users and will not let them change it, you cannot just write things like this off as "A secure password is all that's needed" lol, because regardless of the fact that may be true, there are thousands upon thousands of desktop machines out there with utter tripe passwords, both corporate and personal, with crap passwords, some of which are enforced by the sysadmins themselves!
Even 'pa55w0rd' is too difficult for some.
I got told off for using 'b0l10ck5' - and that was after I had to explain it to my manager, ffs.
(he took a while over 'phuq0rft' as well).
That's hardly the fault of the software though, is it?
Hmmm, are you the same Elmer Phud that, in the RSA thread, was clamoring end users should be summarily executed (after being quartered, tarred & feathered) for opening a phishing email?
a) Why are you telling us what your passwords look like?
b) Choosing passwords from a set of profanity lookalikes? You think that is totally original? Would you be willing to bet that no sample of your brilliant wit would be found in a dictionary of 100K (not 30) passwords?
Paris, cuz, well...
Can anyone shed some light into how logging works for RDP on Windows 7?
On my home computer, I have enabled RDP, but only allowing connections from computers running with Network Level Authentication.
In Event View I can find entries under "Applications and Service logs - Microsoft - Windows - TerminalServices RemoteConnectionManager - Operational.
But the entries are only "Listener RDP-Tcp received a connection".
I would like to know: From where did the connection come from, which username were supplied, etc
Anyone?
Have a look for event ID 1149 also check the security log for event 4624
If you have network level authentication enabled then I don't think you are vulnerable to this worm. Also I doubt that a standard install of Vista or 7 is vulnerable because you can't log in as Administrator on those computers.
"Windows servers and workstations are vulnerable."
...so everyone who has stepped out of the dark ages will be fine!
...the 10% of the market who use another OS than Windows, from wich 0,1% are tech savyy, from wich 0.1% suckers thinks of themselves as "so brilliant everyone else is still in the Dark Ages"?
is it possible that it's enable by default on XP but not on Vista and Win7? It seems to me that when I do a XP install, I always have to disabled it.
MS say Remote Desktop isn't installable on XP Home and looking on the web the only way to install it on pre-SP3 versions is to hack the registry to fool Windows into believing it's XP Pro which is of course a breach of the EULA. Are you sure it's not just the RDP client that's installed?
Those knocking Windows for this are a bunch of Hamptons (the planks that drive 4x4's and think they know everything). RDP is off by default (Morteus, perhaps you should slipstream a service pack or three into your source).
First things first, the Administrator account should be disabled by default (after first creating a new superuser). Secondly, password complexity should be a given. Lastly, RDP should be shut to the outside world, but open to localsubnet and using NLA where appropriate.
Anyone getting pwned by this deserves it and it'll give us more work when they're outed to be the incompetent baffoons that they are.
Quite a few talking about how sloppy admins 'deserve' to get hacked. That's like saying that an old lady who forgot to close her purse 'deserves' to get robbed.
Come on guys, let us not forget who is the criminal in all of this.
Instead of cursing the dark, light a candle.
Now back to the real world.. here in the UK the Police sped their time putting signs up in car parks saying stupid things like "don't advertise to criminals" and "check you locked your doors.."
Personally I would prefer it if they put up signs saying "Don't Steal".
So now in this country it's your own fault if you are a victim. And that acting on opportunities as they arise is just good business. whether that is taking a phone from the end of a table.. or registering amywinehousefoundation.com - Just business, and they wonder why the kids went looting!!
those shops shouldn't have left valuables on display!
... I was thinking of The Remote Assistance - 'nuff said!
If you have used a sloppy password and the remote registry service is running, you could simple turn RDP back on.
Your analogy doesn't stack up.
It's the admins' fault and they deserve to get pwned.
The company they're responsible for OTOH, doesn't deserve it (apart from the fact they possibly scrimped on their IT budget and got lamers).
But the admins' deserve red hot pokers mate. In my mind they're 'criminally' incompetent and certainly grossly negligent.
Your analogy for this example would be, the old lady who hired a bodyguard who was sleeping while she was robbed.
Seen port scans and logon attempts for years. I can't remember how many times I have seen these logon attempts. Good passwords prevent this. Also moving internet accessible servers (stuff like SBS) away from the default port stops this kind if "attack". Anyone who gets hacked by this deserves all they get :)
Sign up, sign up for The Register's weekly IT security newsletter - click here
