More RDP Worm Variants?

Published: 2011-09-12
Last Updated: 2011-09-12 16:17:45 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

With the release of the "Morto" worm last month [1], more attention is being paid to malware scanning for RDP . Today, we had a reader report a possible new version of the Win32/Morto RDP brute forcing worm. The worm was not detected by Anti-Virus, and does not appear to use c:Windows\temp\scvhosts.exe like Morto did. The network traffic appears to be similar to Morto in that it makes many connections from the same source port to the RDP port *3389/tcp. So far, the user was not able to identify the process opening the connections.

Please let us know if you find similar scans and if you are able to identify the process/malware causing it.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: morto rdp
4 comment(s)


No chance of sharing C&C names/IPs?
I'll try again:
Can anyone shed some light into how logging works for RDP on Windows 7?

On my home computer, I have enabled RDP, but only allowing connections from computers running with Network Level Authentication.

In Event View I can find entries under "Applications and Service logs - Microsoft - Windows - TerminalServices RemoteConnectionManager - Operational.

But the entries are only "Listener RDP-Tcp received a connection".

I would like to know: From where did the connection come from, which username were supplied, etc

They're in the security log-- they're not differentiated by category; they are logon events with a different "Type" that is spelled out in the description field. Google "RDP Security Log" (no quotes) and you'll find an explanation pretty quickly.
The FREE HoneyPoint tool we released for the original version of Morto continues to help folks identify scanning/infected hosts of this variant as well as other RDP exploit tools. Here is a link to more information:

Diary Archives