Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


BDFL - Memuneh
60564 posts

Uber Geek
+1 received by user: 11503

Administrator
Trusted
Geekzone
Lifetime subscriber

Topic # 89233 29-Aug-2011 10:29
Send private message

It appears a new worm is going around, connecting via RDP and exploiting Administrator accounts with low security passwords. Details at the F-Secure blog.


Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.

When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin123
111
123
369
1111
12345
111111
123123
123321
123456
654321
666666
888888
1234567
12345678
123456789
1234567890

Once you are connected to a remote system, you can access the drives of that server via Windows shares like \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Monto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it.

The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt

Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net
 

Idiots who use "admin", "password" and "1111" as password... 
 




View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
610 posts

Ultimate Geek
+1 received by user: 44

Trusted

  Reply # 513422 29-Aug-2011 12:54
Send private message

Thanks for the headsup!

Hey people will still use less secure passwords for ease of entry.




The little things make the biggest difference.

1900 posts

Uber Geek
+1 received by user: 284

Trusted

  Reply # 513428 29-Aug-2011 13:08
Send private message

If your pasword is 'letmein', then you are asking for it



BDFL - Memuneh
60564 posts

Uber Geek
+1 received by user: 11503

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 513430 29-Aug-2011 13:10
Send private message
8025 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 513431 29-Aug-2011 13:11
Send private message

Stronger passwords don't have to be hard to remember to be secure!

http://xkcd.com/936
/

gjm

745 posts

Ultimate Geek
+1 received by user: 91


  Reply # 513463 29-Aug-2011 13:45
Send private message

Is this spreading any other way apart from having to have 3389 open on the internet?




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]



BDFL - Memuneh
60564 posts

Uber Geek
+1 received by user: 11503

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 513464 29-Aug-2011 13:50
Send private message

It seems it's the only way. Again, it's not a vulnerability on the service, but Administrators with weak passwords. So you could even keep ports open, providing your admins use decent strong passwords.





8025 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 513468 29-Aug-2011 14:00
Send private message

Well really it's best practice to only allow RDP in over a VPN and not directly.

So this is double retardation in the system administration department.



BDFL - Memuneh
60564 posts

Uber Geek
+1 received by user: 11503

Administrator
Trusted
Geekzone
Lifetime subscriber

8025 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 513556 29-Aug-2011 17:17
Send private message

It's the opposite of "double happy pleasure" Tongue out

Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 513656 29-Aug-2011 20:49
Send private message

Ragnor: Well really it's best practice to only allow RDP in over a VPN and not directly.

So this is double retardation in the system administration department.


given that RDP is encrypted, why should it be restricted to VPN only?  which best practise document states that it should only be done over a VPN?




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


3828 posts

Uber Geek
+1 received by user: 233

Trusted

  Reply # 513663 29-Aug-2011 21:03
Send private message

Regs:
Ragnor: Well really it's best practice to only allow RDP in over a VPN and not directly.

So this is double retardation in the system administration department.


given that RDP is encrypted, why should it be restricted to VPN only?  which best practise document states that it should only be done over a VPN?


+1





Do whatever you want to do man.

  

637 posts

Ultimate Geek
+1 received by user: 2

Trusted

  Reply # 513674 29-Aug-2011 21:27
Send private message

Regs:
Ragnor: Well really it's best practice to only allow RDP in over a VPN and not directly.

So this is double retardation in the system administration department.


given that RDP is encrypted, why should it be restricted to VPN only?  which best practise document states that it should only be done over a VPN?

It limits your threat horizon to only (trusted) devices which can attach to the VPN, which in turn limits your exposure to any remotely exploitable bugs in RDP or users with bad or compromised passwords.

Oh, and of course it stops people brute-forcing accounts and locking them.

Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 513685 29-Aug-2011 21:41
Send private message

PenultimateHop:
Regs:
Ragnor: Well really it's best practice to only allow RDP in over a VPN and not directly.

So this is double retardation in the system administration department.


given that RDP is encrypted, why should it be restricted to VPN only?  which best practise document states that it should only be done over a VPN?

It limits your threat horizon to only (trusted) devices which can attach to the VPN, which in turn limits your exposure to any remotely exploitable bugs in RDP or users with bad or compromised passwords.

Oh, and of course it stops people brute-forcing accounts and locking them.


you can use client certificates for RDP, and you can limit source connections by IP if you have a decent firewall - both of those reduce the potential for attack.  Client certificates can ensure only trusted devices are allowed to RDP whilst leaving the IP source open.

Your user account is just as susceptable to brute force lockouts when a vpn is attacked... unless you use a different set of credentials for the VPN.  Again, client certificates and IP lockouts can prevent this, but not really any different to RDP.

Even if you dont secure RDP to the extent available, if you take the recommended steps and rename windows administrator user to something nonstandard and only have a limited number of users who are able to log on via RDP, then you're much less likely to get attacked and/or locked out.  




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


637 posts

Ultimate Geek
+1 received by user: 2

Trusted

  Reply # 513693 29-Aug-2011 21:49
Send private message

Regs: you can use client certificates for RDP, and you can limit source connections by IP if you have a decent firewall - both of those reduce the potential for attack.  Client certificates can ensure only trusted devices are allowed to RDP whilst leaving the IP source open.

Your user account is just as susceptable to brute force lockouts when a vpn is attacked... unless you use a different set of credentials for the VPN.  Again, client certificates and IP lockouts can prevent this, but not really any different to RDP.

Even if you dont secure RDP to the extent available, if you take the recommended steps and rename windows administrator user to something nonstandard and only have a limited number of users who are able to log on via RDP, then you're much less likely to get attacked and/or locked out.  

Yes, using a firewall is reasonable, although potentially somewhat less flexible since you have to know your source addresses in advance. I'm not familiar with client certificates but a quick skimread indicates it only works on Server platforms, so anyone RDPing to a non-Server OS is in trouble; and additionally they only add value around the authentication phase (and accordingly, the account lockout issue). They do not add value to protect against exploits in the protocol itself.

VPN account lockouts are somewhat more manageable given the use of both PSKs (or PKI) as well as user authentication.

My preference has been for many years to use VPNs for originating management traffic to constrain source-ips for management, mostly to avoid dealing with the immediate issues present when openssh develops yet another remotely exploitable bug. This approach (for me) has yielded many benefits with minimal drawbacks.

Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 513703 29-Aug-2011 22:09
Send private message

the RDP protocol itself has not, to my knowledge, had any breaches that have enabled anyone to gain access without a valid username/password.

You can use two-factor authentication with smartcard + username & password with RDP which is built in to windows. You also have the ability to install 3rd party two-factor auth products onto the 'server'(*) such as RSA SecureID, a USB Key solution, or an SMS-based one-time-code.

(*) some two-factor solutions also work on xp/vista/7 as well as on the win server platform.




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41


Exhibition to showcase digital artwork from across the globe
Posted 23-May-2018 16:44


Auckland tops list of most vulnerable cities in a zombie apocalypse
Posted 23-May-2018 12:52



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.