More RDP Worm Variants?
With the release of the "Morto" worm last month [1], more attention is being paid to malware scanning for RDP . Today, we had a reader report a possible new version of the Win32/Morto RDP brute forcing worm. The worm was not detected by Anti-Virus, and does not appear to use c:Windows\temp\scvhosts.exe like Morto did. The network traffic appears to be similar to Morto in that it makes many connections from the same source port to the RDP port *3389/tcp. So far, the user was not able to identify the process opening the connections.
Please let us know if you find similar scans and if you are able to identify the process/malware causing it.
[1] http://isc.sans.edu/diary.html?storyid=11470
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Comments
Dom De Vitto
Sep 12th 2011
1 decade ago
Can anyone shed some light into how logging works for RDP on Windows 7?
On my home computer, I have enabled RDP, but only allowing connections from computers running with Network Level Authentication.
In Event View I can find entries under "Applications and Service logs - Microsoft - Windows - TerminalServices RemoteConnectionManager - Operational.
But the entries are only "Listener RDP-Tcp received a connection".
I would like to know: From where did the connection come from, which username were supplied, etc
Anyone?
E
Sep 13th 2011
1 decade ago
They're in the security log-- they're not differentiated by category; they are logon events with a different "Type" that is spelled out in the description field. Google "RDP Security Log" (no quotes) and you'll find an explanation pretty quickly.
Bill
Sep 13th 2011
1 decade ago
Brent Huston
Sep 13th 2011
1 decade ago