With the release of the "Morto" worm last month [1], more attention is being paid to malware scanning for RDP . Today, we had a reader report a possible new version of the Win32/Morto RDP brute forcing worm. The worm was not detected by Anti-Virus, and does not appear to use c:Windows\temp\scvhosts.exe like Morto did. The network traffic appears to be similar to Morto in that it makes many connections from the same source port to the RDP port *3389/tcp. So far, the user was not able to identify the process opening the connections. Please let us know if you find similar scans and if you are able to identify the process/malware causing it. [1] http://isc.sans.edu/diary.html?storyid=11470 ------ |
Johannes 4479 Posts ISC Handler Sep 12th 2011 |
Thread locked Subscribe |
Sep 12th 2011 1 decade ago |
No chance of sharing C&C names/IPs?
|
DomMcIntyreDeVitto 45 Posts |
Quote |
Sep 12th 2011 1 decade ago |
I'll try again:
Can anyone shed some light into how logging works for RDP on Windows 7? On my home computer, I have enabled RDP, but only allowing connections from computers running with Network Level Authentication. In Event View I can find entries under "Applications and Service logs - Microsoft - Windows - TerminalServices RemoteConnectionManager - Operational. But the entries are only "Listener RDP-Tcp received a connection". I would like to know: From where did the connection come from, which username were supplied, etc Anyone? |
Erik 5 Posts |
Quote |
Sep 13th 2011 1 decade ago |
E,
They're in the security log-- they're not differentiated by category; they are logon events with a different "Type" that is spelled out in the description field. Google "RDP Security Log" (no quotes) and you'll find an explanation pretty quickly. |
Anonymous |
Quote |
Sep 13th 2011 1 decade ago |
The FREE HoneyPoint tool we released for the original version of Morto continues to help folks identify scanning/infected hosts of this variant as well as other RDP exploit tools. Here is a link to more information: http://bit.ly/oGEkPj
|
Anonymous |
Quote |
Sep 13th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!