JPCERT-AT-2011-0024
JPCERT/CC
2011-09-07
<<< JPCERT/CC Alert 07.09.11 >>>
Scan activity targeting TCP port 3389
https://www.jpcert.or.jp/at/2011/at110024.txt
I. Overview
JPCERT/CC Internet Scan Data Acquisition System (ISDAS) has observed
that scans against TCP port 3389 have been increasing since late
August of 2011. Although the cause of these scans has not been
identified yet, they may be due to the Morto malware, which scans for
ports offering Windows RDP (Remote Desktop Protocol) services, and
then attempts to crack the password. After scanning, this malware
attempts to crack weak passwords and propagate itself.
ISDAS has observed scanning activity from multiple IP addresses in
Japan, and has notified their respective administrators.
Since August 28, 2011, the amount of scanning of TCP 3389 has
decreased, but there is the possibility that malware activity has been
temporarily suspended, and attention is still required.
Please consider implementing the solution in IV. Solution.
II. Observation status
For the TCP port 3389 scan trends observed by ISDAS, refer to the
following websites:
ISDAS graph for TCP port 3389 (01.08.11-07.09.11)
https://www.jpcert.or.jp/at/2011/at110024_3389port.png
AP region regular monitoring system (TSUBAME) monitoring video
https://www.jpcert.or.jp/at/2011/at110024_3389port_movie.wmv
III. Malware activity confirmed by JPCERT/CC
JPCERT/CC has obtained one type of malware (Morto) which is believed
to be performing this scan, and has verified how it operates.
1. Computers infected with this malware send requests to DNS servers,
and scan TCP port 3389 of nearby IP addresses.
2. When a computer responds to the scan, the computer infected with
the malware attempts to login to the target computer via RDP.
- Examples of targeted user IDs:
administrator, admin, test, user, guest,
support_388945a0 (remote assistance default ID), etc.
3. When the computer infected with the malware succeeds in logging
into the target computer, it infects the target computer.
4. The computer infected with the malware in 3 begins scanning
activity from step 1 above.
IV. Solution
Users of the services running on RDP (TCP port 3389) are recommended
to consider taking the following countermeasures:
1) Not to use a vulnerable password for system accounts.
2) Restrict remote login of accounts which do not need to be logged
into remotely
3) As needed, have routers and/or firewalls perform access control
of external access to TCP port 3389
How to use the Windows XP Professional remote desktop function
http://support.microsoft.com/kb/882287/ja
Configuring remote desktop access on Windows 7 systems
http://technet.microsoft.com/ja-jp/windows/ff189332
Creating strong passwords
http://www.microsoft.com/ja-jp/security/online-privacy/passwords-create.aspx
http://www.microsoft.com/security/online-privacy/passwords-create.aspx
V. References
Microsoft
New worm targeting weak passwords on Remote Desktop connections (port 3389)
http://blogs.technet.com/b/mmpc/archive/2011/08/28/new-worm-targeting-weak-passwords-on-remote-desktop-connections-port-3389.aspx
Microsoft
More on Morto
http://blogs.technet.com/b/mmpc/archive/2011/08/29/more-on-morto.aspx
Microsoft
Morto malware shows the importance of strong passwords
http://blogs.technet.com/b/jpsecurity/archive/2011/09/06/3451299.aspx
F-Secure
Windows Remote Desktop Worm "Morto" Spreading
http://blog.f-secure.jp/archives/50625847.html
http://www.f-secure.com/weblog/archives/00002227.html
Symantec
Morto worm sets a (DNS) record
http://www.symantec.com/connect/blogs/dns-morto
http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record
JPCERT/CC
Internet Scan Data Acquisition System (ISDAS)
https://www.jpcert.or.jp/isdas/
If you have any further questions or information regarding this
alert, please contact JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top