New Worm Morto Using RDP To Infect Windows PCs

Trailrunner7 writes "A new worm called Morto has begun making the rounds on the Internet, infecting machines via Remote Desktop Protocol. The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows. Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003."

Finally

[jhoegl]

A lot of IT uses RDP to access servers remotely. Terminal Services is also used heavily by companies.

So I was wondering when someone would find and then use an exploit against them. It was only a matter of time :(.

The good news is the damage may be minimal as it seems to only effect 2k3 R2 servers, at least that is what is reported. It may be all of 2k3 or all 2k3/2k8.

Re:Finally

[jhoegl]

Hmmmm, after reading the article, I do not see any actual exploit being used and it is required that the server or account that was seemingly brute forced (only possible way) is required to have some GPO allowances such as root C or D drive access, the execute permissions on that drive.

Re:Finally

[jhoegl]

Yup, brute force... From a post in the linked thread

And in my current knowledge, if you get infected, it means you have way too EASY PASSWORD.- Meitzi

Re:Finally

[jhoegl]

And lastly.... MS already has an entry for it.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A [microsoft.com]

Re:Finally

[jhoegl]

Finally finally... LOL

If you get hacked, you deserve it.

Compromising Remote Desktop connections on a network: Port 3389 (RDP)
Worm:Win32/Morto.A cycles through IP addresses on the affected computer's subnet and attempts to connect to located systems as administrator using passwords from the following list:

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

Re:

[jayhawk88]

Lol, I love it.

666666
888888

No....not 777777. They'll be expecting that.

Come on, it's Two Thousand Fucking Eleven. We still have people setting local admin passwords to "admin" and 123?

Re:

[KiloByte]

We still have people setting local admin passwords to "admin" and 123?

There's more of them than those with reasonable passwords. I'm not counting those with medium strength [xkcd.com] in either group.

Seriously, "common sense" is not so common nowadays. And from what I see, the quality of passwords is actually going down.

Re:

[Runaway1956]

If we haven't wiped ourselves out by the year 10,000, there will still be people using passwords like that. Even the equivalent to today's "security experts" will be caught now and then with idiotic passwords.

We claim to be intelligent, but sometimes the evidence makes that lie.

Re:

[Lumpy]

It's just a silent commentary as to the quality of MCSE's thrown into a server administration role.

Most guys that are worth their salt demand silly salaries like $60,000-$90,000US a year instead of the new ITT grad that will accept $35,000 a year.

Again, you get what you pay for. and companies pay for 666666 as a server password.

Re:

[Kalriath]

Flamebait much? (And I have mod points, just preferred not to use 'em).

Someone having an MS qualification does not make them a bad sysadmin. There are equally shitty Unix sysadmins out there. A stupid sysadmin is a stupid sysadmin no matter who issued their certificate.

Re:

[goose-incarnated]

Flamebait much? (And I have mod points, just preferred not to use 'em).

Someone having an MS qualification does not make them a bad sysadmin.

He didn't say that having an MS cert makes someone a bad sysadmin. Touchy, aren't we? :-)

Re:

[Kalriath]

"It's just a silent commentary as to the quality of MCSE's thrown into a server administration role".

No, actually, he did say that having an MS cert makes someone a bad sysadmin.

Re:

[goose-incarnated]

"It's just a silent commentary as to the quality of MCSE's thrown into a server administration role".

No, actually, he did say that having an MS cert makes someone a bad sysadmin.

Not all, just the ones thrown into it - presumably the ones eased gently into it with the aid of a mentor and possibly supported by organisational processes aren't the bad admins. I grokked the final 6 words as a qualifier - sort of the same thing as saying "It's a silent commentary as to the quality of slashdot participants responding without RTFA".

But, meh - Tah-mah-toe, tah-may-toe I guess :-)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[EdIII]

Lol, I love it.

666666
888888

No....not 777777. They'll be expecting that.

Come on, it's Two Thousand Fucking Eleven. We still have people setting local admin passwords to "admin" and 123?

Dude... I am crying right now with how hard I am laughing. I might pee myself.

I swear, I absolutely swear that I had a user so.... "inept" and "unsmart" that the only password the user could remember was 7777777. I'm not kidding. He was management and had problems remembering people's names. We tried giving him different passwords, especially on other systems, and it spawned endless IT calls for help with his password. I mean simple passwords, like grouped names.

Nope. Could not handle it. Other thi

Re:

[Inda]

Seems a strangely short list.

No "god"? No "love"?

Why not 100 or 1000 common passwords?

Re:

[X0563511]

Seems to be working, which is both depressing and scary.

Re:

[rtb61]

Logic has it that you could use more than one configuration of worm. In fact you could use thousands all with different combinations of passwords. You take the assumption that a very lazy tech company will grab one worm, do an analysis and stop there, leaving many many potential other victims out there thinking they are safe.

Still such a short list seems pointless unless of course relying on a particular tech companies laziness and willingness to blame users for everything, to mass market a false sense o

Re:

[adolf]

We had a few accounts compromised on public-facing *nix host, once.

The reason? The person doing admin had set up a whole bunch of accounts with "phone" as a password. To say that I was surprised at this level of incompetence is a bit of an understatement.

His defense? "Well, that's what the boss told me to do."

Me: "Did you bother trying explain to him just how bad of an idea that was?"

Him: "No."

The mess was easy for me to clean up. And since then, the passwords are much harder. And after the dude res

Re:

[snowgirl]

Weird... when you typed hunter1, all I saw were asterisks.

Re:

[Dunbal]

omg and I thought my password was weak, it's ********

Re:

[fostware]

Depends on how many sysadmins double-check the *local* administrator account - not just the domain admin's.

Once won a customer while doing the presentation, just by demonstrating the there's a local account too. Just happened to hit enter on their TS and lo-and-behold straight in. SBS and Domain controllers don't allow the option of a local admin, but member servers are sometimes easy game.

Re:

[Zumbs]

or even better ... drowssap!

Re:

[Cyberax]

I confess, I've used it a few times for a one-off test user (to check that ACLs work correctly). Well, once or twice I forgot to delete this test user.

So I totally can see that somebody might set up an easy password, especially if a system is non-Internet-facing.

Re:Finally

[Anonymous Coward]

This is not the complete list of what happens.

I battled this since August 18th, and had identified all the command/control IPs and domains and submitted them to MS--and also identified the files for them and sent them in a zip.

MS initially had us run a boot disk and multiple scanners and found nothing. I had even asked for some advice on how to properly mitigate network usage *from the server* as the 1000s of connection attempts were nailing the firewall (which was now blocking all outbound 3389 attempts as well) and the arp caches of the network switches--doing a packet sniff, I could see the network gear turned into hubs from switches because the MAC tables couldn't keep up.

I also had a user get kicked off their machine by a service account that hadn't existed before the virus hit. That machine had 63 malware programs on it--not cookies, but exes and dlls.

The infections are entirely not due to bad passwords. Once infected it goes out and uses that simple list. You know there are places that have these passwords. Simply having 3389 open is bad, as you can get randomly hit, with an exploit vector as well. Newly installed machines with passwords that were ludicrously complex were also getting infected. The virus also will check out your local network subnet and blast that and similar networks--if you are on 10.10.10.0, it will also blast 10.10.9.0 and 10.10.11.0, for example.

Anyway there had to be three or four revisions of this patch before it was posted about here. It came out late Friday night, soon after we sent the files. MS only really started taking us seriously (it seemed) when other customers started reporting the same thing. The virus could be manually cleaned but it didn't fix the infection, so you could clean a machine and get it reinfected. The signatures should help prevent further issues, but expect a new critical update patching the actual problem in addition to this cleaning it.
 

Re:

[MightyMartian]

I'm just bloody glad I shut down all external access to RDP. For a few years I was opening up RDP for some users who worked from home, but after seeing someone trying hundreds of times to get in to RDP via an Eastern European IP address I finally closed it down and require anyone wanting to use RDP to do it via our VPN.

Re:

[Lumpy]

You should also already have DROP rules for all IP addresses coming from outside countries you dont have workers in already.

We dont have any asian, eastern or russian workers so I block all those countrues in the firewall. it reduces risk and traffic significantly.

I also have the firewall add a 24 hour drop rule for any IP address that attempts a connection and gets a rejection more than 5 times to a port in 20 minutes.

Passwords are your second line of defense, your firewall is your first.

Re:

[KingMotley]

Simply having 3389 open isn't inheritly bad. It's when you allow retarded admins who allow access to that port through the internet and use ridiculously simple passwords on accounts that are given remote login rights AND are exempt from the bad password lockouts.

Re:

[LordLimecat]

Being infected doesnt mean that it happened because of an opened port 3389. I have never heard of an exploit that can run arbitrary code simply due to an open RDP listener. I would imagine such a thing to be possible on VNC far before RDP, given the attention to security that RDP has gotten over the last 10 years.

Re:

[John Hasler]

How many Windows boxes do not have way too easy a password?

Re:

[aztracker1]

Mine... more than one word, l33tified with non letter-number.

Re:

[maxwells_deamon]

Warning: Parent contains NSFW link
  and not worth looking at anyway

Re:

[datapharmer]

actually once you have rdp access privilege escalation is pretty trivial as you can access the command line regardless of local and group policies by exploiting a flaw in how command line switches are handled.

Re:

[LordLimecat]

Having access to the commandline =/= privilege esclaation.

Care to explain how you can go from "domain user" or "Remote user" to "domain administrator", with commandline access, on server 2003 or server 2008? Im sure a LOT of people would be interested to hear this.

Re:

[datapharmer]

once you have access to the command line you can then use it to transfer exploitable code to the windows temporary folder. This puts an attack vector in place. Disconnect, then reconnect with the command to execute your payload - this command is executed before policies are enforced. tah-dah.

Re:

[louarnkoz]

Microsoft's analysis is published at: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A [microsoft.com]

The list of password that the worm tries is interesting. Apart from the obvious abc123 and the like, the worm tries "RavMonD" and "zhudongfangyu". Is that a clue? Some Chinese hommage to the bazar?

Re:

[bwintx]

TFA article lists "RavMonD" and "zhudongfangyu" as processes the worm tries to stop, not as passwords it attempts.

Terminates processes
Morto.A terminates processes that contain the following strings. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.

Re:

[bwintx]

"TFA article" being akin to "ATM machine," of course. Sorry.

Poor Passswords are the problem

[Anonymous Coward]

Read about Morto and says it spreads by trying common passwords such as the following:
When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

  admin
  password
  server
  test
  user
  pass
  letmein
  1234qwer
  1q2w3e
  1qaz2wsx
  aaa
  abc123
  abcd1234
  admin123
  111
  123
  369
  1111
  12345
  111111
  123123
  123321
  123456
  654321
  666666
  888888
  1234567
  12345678
  123456789
  1234567890

Re:

[jhoegl]

Why move the port? Port scanners will find it anyways, and it only causes problems for the end users.

That "Someone" does not understand how hacks/cracks/attack vectors works, does not stay up on current security trends, or knows how to handle a password policy.

Re:Poor Passswords are the problem

[DarkOx]

I generally agree that moving well know services to alternate ports is a waste of time at best and a headache at worst, for most services.

Port scanners should not be effective tools in a high security environment though. You should have and IDS that can detect a scan, even if its a coordinated scan from multiple hosts. That IDS should be able to shun those hosts. There is no reason why in 2011 you can't make it prohibitively difficult for the vast majority of would be attackers to run a port scan against your hosts. In which there may be value in moving hi-value targets like administrative interfaces to lesser know ports, generally legitimate people using those interfaces won't be terribly inconvenienced.

Will the guy commanding a 10K machine botnet spread over thousands of networks still be able to scan you and find whatever, certainly yes. If your common threat model really includes that guy though you really operating in a different reality than most of us; for the rest snort, iptables and some shell scripts, or {pick commercial vendor solution} here goes a long way.

In 1997 and unprotected host was not good enough anymore, you needed a firewall
In 2000 you needed a stateful firewall
In 2005 you needed a application layer firewall
Its 2011 you need IDS / IPS
The arms race continues....

Re:

[Lumpy]

"There is no reason why in 2011 you can't make it prohibitively difficult for the vast majority of would be attackers to run a port scan against your hosts"

Yes there is. Competent Network people and up to date networking hardware to do this cost money. Executives would rather continue to run on the out of date Nokia Firewalls they bought in 2003 and hire employees who are happy to get $25,000 to $35,000 instead of having a budget that is realistic and pay-scales that attract competent employees.

THIS is t

Re:

[Onymous Coward]

Moving ports protects against worms.

That "someone" may have better said "the Internet is full of threat". My blocked ports log says there's an unauthorized attempt every 2 and a half minutes. That's not counting attacks on 25, 53, and 80.

My system is plenty secure, but I guess you could refer the the net at large as "insecure as living fuck".

Re:

[lucifuge31337]

how about removing the "Administrator" account and change the RDP port?

Who leaves services like this exposed to the Internet in the first place? Do you people not have VPNs?

Re:

[magamiako1]

A lot of people leave these services open, particularly for managed IT for small businesses (small practices, etc.)

RDP itself is encrypted with RC4 by default, and gets AES if you use FIPS mode.

Re:

[lucifuge31337]

I guess I've been working on real network for too many years. Even the with the small businesses I've done side work for, nothing like this is exposed. It's simply too cheap to do it the proper way, and to expensive not to.

Re:

[magamiako1]

I've known a ton of small businesses that leave RDP exposed. Many leave VNC exposed as well (which can be even more dangerous if you don't understand encryption and authentication).

I've argued with people on IRC that leave entire POS systems exposed via VNC to the internet.

It's deplorable, but fairly common. And there's nothing particularly wrong with leaving it exposed if you configure it properly. A VPN provides more peace of mind, of course, since you get all the benefits that come with private keys, etc

Re:

[magamiako1]

Again, re-read a previous post of mine:

Account Lockout policies. Same difference using "fail2ban" with SSH that so many people use to "secure" their linux boxes.

What we're down to isn't an argument against RDP, we're arguing over password vs key-based authentication and data integrity.

Re:

[datapharmer]

Yes, we people have VPNs, but you know all those small business whose IT staff is "the guy who knows some stuff about computers" and gets stuck "managing the server"? Well, those business don't have VPNs, are rarely patched and are the cause for those shenanigans. For companies who are unwilling to pay for the time it takes to properly clean up the mess they have and install proper protections a port change and administrator username change is the "better than nothing" approach. While yes, it is "security t

Re:

[Lumpy]

There is NO REASON that little company that has a guy that knows "puters" to not have VPS. cheap SOHO routers support VPN's easily.

Sorry but if your business cant afford to hire at least a part time consultant that knows what he is doing, you do not deserve to be in business.

Re:

[fast turtle]

and that's the biggest problem with using Windows. To much shit running w/o rhyme/reason or even a decent explantion why.

you can't fully remove the Administrator account

[Joe_Dragon]

you can't fully remove the Administrator account and you can't change the RID.

A non-issue for people who use strong passwords

[mkraft]

From what I've read [f-secure.com], the worm isn't using an exploit. It's simply trying to log in using a set of common and easy to guess passwords. If you use strong passwords, then your machine won't be compromised. Though flood of RDP access requests could amount to a denial of service attach.

...or that hate default ports...

[FlavorDave]

Since RDP is a necessary evil for administering remote windows PCs at least change the fracking port...

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

Re:

[Culture20]

And use an auto-lockout system or auto-firewall (if one exists) like fail2ban. Windows log parsing and firewall can be scripted, but I don't know if anyone's bothered.

Re:

[LordLimecat]

It is already possible to do something like "after 10 failed attempts in 2 minutes, lock account for 5 minutes". Very unlikely to be an inconvenience, but good luck bruteforcing @ 1 attempt every 12 seconds.

It does raise the potential for a type of administrative DDOS, of course, but presumably knowing that there is an attack is better than not knowing.

Re:

[rubycodez]

nonsense, RDP (and most other tcp services) can be quickly scanned and identified on ANY port

Re:...or that hate default ports...

[0123456]

nonsense, RDP (and most other tcp services) can be quickly scanned and identified on ANY port

Of course if you're serious about security then a port-scan would be logged and blocked. They'd need to compromise multiple machines or scan at a very slow rate in order to be able to get past such a firewall.

Re:

[KiloByte]

The whole point of a worm is that they have multiple machines.

Re:

[0123456]

The whole point of a worm is that they have multiple machines.

Not on my internal network.

And if you have RDP open to the Internet you're so retarded there's no saving you.

Re:

[asdfghjklqwertyuiop]

Public key authentication / certs is an option on good VPN systems. If such a thing exists for RDP it is very rarely used.

Re:

[drinkypoo]

Of course if you're serious about security then a port-scan would be logged and blocked.

Really? Only if I either run a software firewall more complex than the one that comes with Windows, or put each machine on its own VLAN and route between them on the switch, and then use some detection software triggered from there...

The threat here is that one machine will be infected by whatever means and then infect other machines on the same LAN, because nobody's firewall is going to pass RDP anyway.

Re:

[LordLimecat]

If theyre targetting you specifically, they will do such a slow scan, and be changing IPs. Changing the port is enough to lower your profile and make you less conspicuous, but its not a serious safeguard.

Re:

[datapharmer]

Would you rather have 1000 bots attacking a server or 900? Obviously in a perfect world we would cut it down to 0, but eliminating scripted attacks on poorly secured servers is better than doing nothing.

Re:

[Aqualung812]

You're correct, but most worms don't try to scan every port. They need to quickly find their next target, and scanning for one port is much quicker than for over 65,000 of them.

Also, remember they're looking for total dumbasses that put things like "admin" as their password. Pretty sure that people that run RDP on port 6384 don't have trivial passwords.

Re:

[bloodhawk]

Why would any competent admin be allowing port scans to hit their servers? They invented this cool thing a little while ago called a firewall.

Re:

[rubycodez]

so what, the firewall is port scanned and the party starts from there.

extreme paranoia

[Onymous Coward]

Good idea. I agree. I switch ports for things, too. Helps to avoid worms. But...

Scanned at 2011-08-28 11:37:25 PDT for 54s
PORT STATE SERVICE VERSION
3390/tcp open microsoft-rdp Microsoft Terminal Service

It's still possible to see where your RDP port is. So a dedicated attacker or a port-scanning worm (I'd be amused to see one of those) uncovers your hide.

What about adding port knocking?

Re:

[Nemyst]

I wanted to do that so I could remote to my home PC from university... The firewall there blocks all ports except 3389 and a few others like 21 or 80.

Security impeding security, wee!

Re:

[omglolbah]

Set up SSH, you can do port tunneling that way.

I have port 443 on my server set up to accept SSH, that way I can get through 99% of 'work' type firewalls and get to my stuff :)

Re:

[DarwinSurvivor]

Why? Just install your OWN firewall on your laptop/uni-computer and be done with it.

Re:

[sgt scrub]

If someone uses 12345 for the password do you really think they would have the slightest clue as to what your post means? You need to spell it out for them using baby talk. 1) double clicky on the....

Do you do that with SSH too?

[Sycraft-fu]

Or instead do you just use strong passwords?

That is what the issue with this worm is: Weak passwords. Go read the MS doc and see just how weak I'm talking about: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A [microsoft.com].

This kind of shit affects SSH as well. We periodically whack IPs in China that beat on our SSH servers. They try the same password list over and over, they aren't sophisticated, just looking for weakly passworded stuff.

The answer isn't to move the po

Re:

[jedidiah]

Been using fail2ban for YEARS to automatically detect and ban brute force ssh cracking attempts. ...before I knew about fail2ban, I had my own homegrown script that did the same thing. Was pretty easy to cook up too.

Re:

[DarwinSurvivor]

This kind of shit affects SSH as well.

Only if you're dumb enough to actually use passwords for SSH. Does RDP even *support* encryption keys? (honest question)

Re:

[LordLimecat]

You could also simply do a static port mapping, if your firewall/router supports it, to change which external port is natted to your server. Tends to be a lot easier than trying to keep track of scads of servers and which port is which pc.

But generally, if im allowing straight up RDP access to the server, there is a strong password in place; changing the port wont stop a detailed scan, which would pick up "RDP" pretty quick. Theres not much substitute for a good password, port changing just stops simple w

Re:

[bloodhawk]

change the fracking port...

Security through obscurity does not work.

that actually is a fallacy. When it comes to worms and virus's security through obscurity does help, malware attacks the common denominator, if 1 million people run a service on port 1234 and 10 run it on some other random port you can bet your last dollar that the vast majority of attacks will focus port 1234, No you aren't blocking a targetted attacks, just making going half a rung higher on the ladder so that someone actually has to put some basic thought into an attack against you.

Re:

[KahabutDieDrake]

Yes it does. Like any other process that relies on masses of essentially unprotected machines, viruses/worms don't have the overhead to spare to include port hopping/scanning/anti-blocking systems. So when a new virus comes around, like this one, it very likely has the default port hard wired into itself. Why? Because it takes 4bits (give or take a bit) and hits 97% of all (RDP capable) machines on the net, while including a port scanner and the related intelligence / anti-security obfuscation and anti-

Re:

[Dunbal]

How about not opening your anus to the Internet?

Hey, you get your thrills your way, and let Mr. Goat Se get his thrills his way.

Re:

[cbiltcliffe]

yes because screw having a standard default port number
in the same vein no webservers should also be run off a radomn port number and not 80/443/8080

Yes, because a webserver that's supposed to be accessible to the general public through a standard web browser, and remote administration that's only used by at most a handful of known users are exactly the same thing....

Idiot.

That is indeed what it does

[Sycraft-fu]

Someone else linked to the MS info on it: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A [microsoft.com] and it just goes and trys weak passwords... EXTREMELY weak passwords. Also looks like Vista/7 2008/2008R2 are default secure since it trys against "administrator" which is not an account you can actually log in as if UAC is on.

So as long as your password isn't monkey-fuck retardedly easy, should be a non-issue. If it is this weak, well then you really need to get a be

Re:

[jedidiah]

Sounds like the sort of thing that you might expect to happen and even guard against with things like fail2ban or a homegrown script that does the same thing.

You would also need to correctly guess a suitable user account too.

Require a VPN connection

[Pop69]

If IT and users are connecting to a bare open RDP port then someone fucked up along the way.

Do it right, require a VPN connection before you allow an RDP connection.

Re:

[jhoegl]

Maybe, but I wouldnt want an end users virused system access to my networks or servers.

RDP offers better limitations to it.
True, you could close off every port but 3389 to the VPN, you could limit access to only one server, but then the requests start coming in...
Besides, wouldnt an SSL RDP session be more viable?

Re:

[aztracker1]

RDP is already encrypted as of 2003 server (via TLS)... though you don't get client-keys... the issue here is weak passwords, the same issue exists for SSH, short of client keys.

Re:

[Kalriath]

SSL RDP? Oh, right - Remote Desktop Gateway. Yes, that's possible as of 2008 Server. Essentially tunnels a Remote Desktop connection over HTTPS, with certificate validation and stuff. Theoretically, you can also configure (as of 2003 I think) your remote desktop connection to use Smart Cards to authenticate rather than passwords... you see where this is going.

Re:

[cbiltcliffe]

Weird. Slashdot lets positive contributors disable ads, but not financial contributors.

That's because if they did, you could simply pay for the right to be an asshole.

(I know, I know....you can still be an asshole with ads.....)

Re:

[rubycodez]

what if admin dumb enough to choose 1234546 also gives everyone and their aunt tilly the certificates and keyfile for the vpn by plain email?

Re:

[Flaming Foobar]

Do it right, require a VPN connection before you allow an RDP connection.

Why exactly do you think that increases security? Most VPNs that I've seen use the AD domain password which means once the attacker gains access to the VPN, they can access all the network shares, terminal servers whatnot. You are equally f'ed in both cases. Also, the current RDP implementation uses TLS which is stronger than e.g. PPTP's RC4, still a widely used because it's so easy to set up.

I see this stupidity all the time: you are required to connect to a PPTP VPN, with access to the company LAN to boot

Re:

[LordLimecat]

Um, VPN connection can be bruteforced too. Why is it more secure to offer a service to the internet which grants access to the whole network, than to open a service which grants access to one machine?

Im not really clear on this. RDP uses SSL and is generally regarded as secure. You can easily limit the rate at which passwords can be tried. Please, explain.

Whoa, Newsflash!

[Opportunist]

Insecure admin passwords allow remote connections and lead to compromised computers. More details after the film.

Re:

[Joce640k]

Stop adding checkbox marketing features and maybe we'll stand a fighting chance.

...against users who choose "123456" for their admin password?

Maybe you didn't RTFA before posting.

Re:

[rubycodez]

exactly the opposite, admins with a PC desktop mentality too clumsy and vulnerable to be useful to the enterprise. The root cause of this infection would make any OS vulnerable, from mainframe z to openbsd server

Mod parent up.

[khasim]

The root cause of this infection would make any OS vulnerable, from mainframe z to openbsd server

Exactly. And I see it every day.

Just because you THINK you can "admin" a workstation (or a few workstations for your immediate family) does NOT mean that you know how to correctly administer a server.

That this "virus" has any traction is just more evidence of that.

Re:Infecting Windows -- Too Easy

[magamiako1]

This has nothing to do with "hacking windows". This has everything to do with brute forcing passwords.

This same thing can happen with SSH, FTP, and any other service that uses password authentication.

In Linux, you install "fail2ban" to slow down brute force attempts.

In Windows, you use secpol.msc > Account Policies > Account Lockout Policy to accomplish the same task.

In all systems, you use more complex passwords or two-factor authentication to avoid this.

PS: This is only affecting idiots.

Re:

[mcrbids]

This same thing can happen with SSH, FTP, and any other service that uses password authentication.

There. 'Nuff said. Passwords are terrible for system level security and should not be used. The basic idea of passwords requires that, to use it, you also give everything needed to use it again. Techniques like two-channel authentication, public key encryption, etc. solve this problem.

Re:

[magamiako1]

You can configure smart card authentication for Windows RDP.

Re:Infecting Windows -- Too Easy

[Opportunist]

At least RTFM before posting. The system is helpless against a user that uses "12345" as a root password.

Re:

[advocate_one]

so I'm safe then with "54321"...

Re:

[Billly Gates]

"You would think that hackers might see there is no honor in hacking windows.
"
I don't know

I read a comment here from some guy named anonymous coward that stated Windows is just as secure as Unix and MacOSX and it is only hacked because more people use it. After all IE 6 and IE 7 are staples of good security and coding according to him. More people use it ... thats it!