[AusNOG] Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389
Marcus Emanuel
marcus at hostcorp.com.au
Sat Jan 14 09:13:05 EST 2012
Hi James,
Heres a likely scenario.
When being targeted by a brute force RDP attack, each login attempt hitting each box discovered on your networks sends the bitmap as it paints the RDP login screen on the attackers system. If each login screen sends 20Kb of data, then it's likely that around 100 simultaneous rdp login attempt sessions were in progress per second.
You will probably have seen a high count of winlogon.exe on the targeted boxes too.
Cheers,
Marcus
On 13/01/2012, at 11:52 PM, "James Braunegg" <james.braunegg at micron21.com> wrote:
Hey All,
Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours.
We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address.
The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic.
Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic
Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it “ohDeer-RDP”
A sample of the traffic is as per below, collected from netflow
Source Destination Application Src Port Dst
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP
This occurred around 10:30pm AEST Friday the 13th of January 2012
We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected.
Kindest Regards
James Braunegg
W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
E: james.braunegg at micron21.com <mailto:james.braunegg at micron21.com> | ABN: 12 109 977 666
<image001.jpg>
This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120114/55ba7e93/attachment.html>
More information about the AusNOG
mailing list