Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


BDFL - Memuneh
61205 posts

Uber Geek
+1 received by user: 11982

Administrator
Trusted
Geekzone
Lifetime subscriber

Topic # 89233 29-Aug-2011 10:29
Send private message

It appears a new worm is going around, connecting via RDP and exploiting Administrator accounts with low security passwords. Details at the F-Secure blog.


Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.

When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin123
111
123
369
1111
12345
111111
123123
123321
123456
654321
666666
888888
1234567
12345678
123456789
1234567890

Once you are connected to a remote system, you can access the drives of that server via Windows shares like \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Monto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it.

The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt

Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net
 

Idiots who use "admin", "password" and "1111" as password... 
 




View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
626 posts

Ultimate Geek
+1 received by user: 46

Trusted

  Reply # 513422 29-Aug-2011 12:54
Send private message

Thanks for the headsup!

Hey people will still use less secure passwords for ease of entry.




The little things make the biggest difference.

1998 posts

Uber Geek
+1 received by user: 331

Trusted

  Reply # 513428 29-Aug-2011 13:08
Send private message

If your pasword is 'letmein', then you are asking for it



BDFL - Memuneh
61205 posts

Uber Geek
+1 received by user: 11982

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 513430 29-Aug-2011 13:10
Send private message

A weaker password is not for "easy of entry" is just lazy. This is one instance that no one can blame the OS for stupidity.






8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 513431 29-Aug-2011 13:11
Send private message

Stronger passwords don't have to be hard to remember to be secure!

http://xkcd.com/936
/

gjm

747 posts

Ultimate Geek
+1 received by user: 91


  Reply # 513463 29-Aug-2011 13:45
Send private message

Is this spreading any other way apart from having to have 3389 open on the internet?




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]



BDFL - Memuneh
61205 posts

Uber Geek
+1 received by user: 11982

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 513464 29-Aug-2011 13:50
Send private message

It seems it's the only way. Again, it's not a vulnerability on the service, but Administrators with weak passwords. So you could even keep ports open, providing your admins use decent strong passwords.





8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 513468 29-Aug-2011 14:00
Send private message

Well really it's best practice to only allow RDP in over a VPN and not directly.

So this is double retardation in the system administration department.



BDFL - Memuneh
61205 posts

Uber Geek
+1 received by user: 11982

Administrator
Trusted
Geekzone
Lifetime subscriber

8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 513556 29-Aug-2011 17:17
Send private message

It's the opposite of "double happy pleasure" Tongue out

Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 513656 29-Aug-2011 20:49
Send private message

Ragnor: Well really it's best practice to only allow RDP in over a VPN and not directly.

So this is double retardation in the system administration department.


given that RDP is encrypted, why should it be restricted to VPN only?  which best practise document states that it should only be done over a VPN?




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


3829 posts

Uber Geek
+1 received by user: 234

Trusted

  Reply # 513663 29-Aug-2011 21:03
Send private message

Regs:
Ragnor: Well really it's best practice to only allow RDP in over a VPN and not directly.

So this is double retardation in the system administration department.


given that RDP is encrypted, why should it be restricted to VPN only?  which best practise document states that it should only be done over a VPN?


+1





Do whatever you want to do man.

  

637 posts

Ultimate Geek
+1 received by user: 2

Trusted

  Reply # 513674 29-Aug-2011 21:27
Send private message

Regs:
Ragnor: Well really it's best practice to only allow RDP in over a VPN and not directly.

So this is double retardation in the system administration department.


given that RDP is encrypted, why should it be restricted to VPN only?  which best practise document states that it should only be done over a VPN?

It limits your threat horizon to only (trusted) devices which can attach to the VPN, which in turn limits your exposure to any remotely exploitable bugs in RDP or users with bad or compromised passwords.

Oh, and of course it stops people brute-forcing accounts and locking them.

Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 513685 29-Aug-2011 21:41
Send private message

PenultimateHop:
Regs:
Ragnor: Well really it's best practice to only allow RDP in over a VPN and not directly.

So this is double retardation in the system administration department.


given that RDP is encrypted, why should it be restricted to VPN only?  which best practise document states that it should only be done over a VPN?

It limits your threat horizon to only (trusted) devices which can attach to the VPN, which in turn limits your exposure to any remotely exploitable bugs in RDP or users with bad or compromised passwords.

Oh, and of course it stops people brute-forcing accounts and locking them.


you can use client certificates for RDP, and you can limit source connections by IP if you have a decent firewall - both of those reduce the potential for attack.  Client certificates can ensure only trusted devices are allowed to RDP whilst leaving the IP source open.

Your user account is just as susceptable to brute force lockouts when a vpn is attacked... unless you use a different set of credentials for the VPN.  Again, client certificates and IP lockouts can prevent this, but not really any different to RDP.

Even if you dont secure RDP to the extent available, if you take the recommended steps and rename windows administrator user to something nonstandard and only have a limited number of users who are able to log on via RDP, then you're much less likely to get attacked and/or locked out.  




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


637 posts

Ultimate Geek
+1 received by user: 2

Trusted

  Reply # 513693 29-Aug-2011 21:49
Send private message

Regs: you can use client certificates for RDP, and you can limit source connections by IP if you have a decent firewall - both of those reduce the potential for attack.  Client certificates can ensure only trusted devices are allowed to RDP whilst leaving the IP source open.

Your user account is just as susceptable to brute force lockouts when a vpn is attacked... unless you use a different set of credentials for the VPN.  Again, client certificates and IP lockouts can prevent this, but not really any different to RDP.

Even if you dont secure RDP to the extent available, if you take the recommended steps and rename windows administrator user to something nonstandard and only have a limited number of users who are able to log on via RDP, then you're much less likely to get attacked and/or locked out.  

Yes, using a firewall is reasonable, although potentially somewhat less flexible since you have to know your source addresses in advance. I'm not familiar with client certificates but a quick skimread indicates it only works on Server platforms, so anyone RDPing to a non-Server OS is in trouble; and additionally they only add value around the authentication phase (and accordingly, the account lockout issue). They do not add value to protect against exploits in the protocol itself.

VPN account lockouts are somewhat more manageable given the use of both PSKs (or PKI) as well as user authentication.

My preference has been for many years to use VPNs for originating management traffic to constrain source-ips for management, mostly to avoid dealing with the immediate issues present when openssh develops yet another remotely exploitable bug. This approach (for me) has yielded many benefits with minimal drawbacks.

Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 513703 29-Aug-2011 22:09
Send private message

the RDP protocol itself has not, to my knowledge, had any breaches that have enabled anyone to gain access without a valid username/password.

You can use two-factor authentication with smartcard + username & password with RDP which is built in to windows. You also have the ability to install 3rd party two-factor auth products onto the 'server'(*) such as RSA SecureID, a USB Key solution, or an SMS-based one-time-code.

(*) some two-factor solutions also work on xp/vista/7 as well as on the win server platform.




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.