Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: More RDP Worm Variants? - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More RDP Worm Variants?

With the release of the "Morto" worm last month [1], more attention is being paid to malware scanning for RDP . Today, we had a reader report a possible new version of the Win32/Morto RDP brute forcing worm. The worm was not detected by Anti-Virus, and does not appear to use c:Windows\temp\scvhosts.exe like Morto did. The network traffic appears to be similar to Morto in that it makes many connections from the same source port to the RDP port *3389/tcp. So far, the user was not able to identify the process opening the connections.

Please let us know if you find similar scans and if you are able to identify the process/malware causing it.

[1] http://isc.sans.edu/diary.html?storyid=11470

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022

 Johannes

4479 Posts
ISC Handler
Sep 12th 2011
Thread locked Subscribe Sep 12th 2011
1 decade ago
No chance of sharing C&C names/IPs?
 DomMcIntyreDeVitto

45 Posts
Quote Sep 12th 2011
1 decade ago
I'll try again:
Can anyone shed some light into how logging works for RDP on Windows 7?

On my home computer, I have enabled RDP, but only allowing connections from computers running with Network Level Authentication.

In Event View I can find entries under "Applications and Service logs - Microsoft - Windows - TerminalServices RemoteConnectionManager - Operational.

But the entries are only "Listener RDP-Tcp received a connection".

I would like to know: From where did the connection come from, which username were supplied, etc

Anyone?
 Erik

5 Posts
Quote Sep 13th 2011
1 decade ago
E,
They're in the security log-- they're not differentiated by category; they are logon events with a different "Type" that is spelled out in the description field. Google "RDP Security Log" (no quotes) and you'll find an explanation pretty quickly.
 Anonymous
Quote Sep 13th 2011
1 decade ago
The FREE HoneyPoint tool we released for the original version of Morto continues to help folks identify scanning/infected hosts of this variant as well as other RDP exploit tools. Here is a link to more information: http://bit.ly/oGEkPj
 Anonymous
Quote Sep 13th 2011
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!