[148366] in North American Network Operators' Group
Possible New Zero Day Microsoft Windows 3389 vulnerability -
daemon@ATHENA.MIT.EDU (James Braunegg)
Fri Jan 13 07:37:27 2012
From: James Braunegg <james.braunegg@micron21.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Fri, 13 Jan 2012 12:36:41 +0000
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--_004_CA7E867D448D8B489EFF2E97E266038A1DACA657RAEX01raprintin_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Hey All,
Just posting to see if anyone has seen any strange outbound traffic on port=
3389 from Microsoft Windows Server over the last few hours.
We witnessed an alarming amount of completely independent Microsoft Windows=
Servers, each on separate vlan and subnets (ie all /30 and /29 allocation=
s) with separate gateways on and completely separate customers, but all ser=
vices were within the same 1.x.x.x/16 allocation all simultaneously send ar=
ound 2mbit or so data to a specific target IP address.
The only common link was / is terminal services port 3389 is open to the pu=
blic. Obviously someone (Mr 133t dude) scanned an allocation within our net=
work, and like a worm was able to simultaneously control every Microsoft Wi=
ndows Server to send outbound traffic.
Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behin=
d a firewall or VPN and did not have public 3389 access did not send the un=
known traffic
Would be very interested if anyone else has seen this behavior before ! Or =
is this the start of a lovely new Zero Day Vulnerability with Windows RDP, =
if so I name it "ohDeer-RDP"
A sample of the traffic is as per below, collected from netflow
Source Destination Application Src =
Port Dst
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 =
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 =
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 =
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 =
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 =
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 =
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 =
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 =
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 =
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 =
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 =
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 =
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 =
TCP
This occurred around 10:30pm AEST Friday the 13th of January 2012
We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges w=
hich were totally unaffected.
Kindest Regards
James Braunegg
W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
E: james.braunegg@micron21.com<mailto:james.braunegg@micron21.com> | AB=
N: 12 109 977 666
[Description: Description: Description: M21.jpg]
This message is intended for the addressee named above. It may contain priv=
ileged or confidential information. If you are not the intended recipient o=
f this message you must not use, copy, distribute or disclose it to anyone =
other than the addressee. If you have received this message in error please=
return the message to the sender by replying to it and then delete the mes=
sage from your computer.
--_004_CA7E867D448D8B489EFF2E97E266038A1DACA657RAEX01raprintin_
Content-Type: image/jpeg; name="image001.jpg"
Content-Description: image001.jpg
Content-Disposition: inline; filename="image001.jpg"; size=2683;
creation-date="Fri, 13 Jan 2012 12:36:44 GMT";
modification-date="Fri, 13 Jan 2012 12:36:44 GMT"
Content-ID: <image001.jpg@01CCD24B.E1AF1630>
Content-Transfer-Encoding: base64
/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf
IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESUM8SDc9Pjv/2wBDAQoLCw4NDhwQEBw7KCIoOzs7Ozs7
Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozv/wAARCAAnAPoDASIA
AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA
AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3
ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm
p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA
AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx
BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK
U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3
uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD2SqGq
65pmhpG+p3iWyykhCwJ3Edegp+sX50vR7u/EYlNvE0gQnG7A6ZrK04af438P2eoappkThixSJzuC
HJHB49KAD/hPvCv/AEGYf++W/wAKP+E+8K/9BmH/AL5b/CuV+JPh3R9I0G3n0/TobaVrlULoMEja
3H6V1UHgrwy1vGzaLaklASdp9KegtSez8ZeHdQu47S01SKWeU4RArZY/lU+qeJNG0SZIdSv47aSR
dyqwJyM4zwK4nUtJ0/SPifoMOnWkdtG67mWMYBPzc13GpeH9I1iZJtR0+G5kRdqtIMkDrigDP/4T
7wr/ANBmH/vlv8Kt6b4q0LV7sWmn6jHcTlS2xQwOB16iuGvfD+jx/FOx0tLCFbOS33NBj5SdrnP6
D8q7vT/DWiaVdfabDTYLeYKV3oOcHqKANMkKCTwAMmuf/wCE98Kg4/tmH/vlv8KP+EmZvG7eGjaL
s8jzDNv5Py5xjH9ak/4Qjwwf+YLa/wDfJoGR/wDCfeFf+g1D/wB8t/hWlpWu6XriyNpl4lyIiA5U
EbSenUVR/wCEI8Mf9AS1/wC+TWhpmi6boyyLptnFaiUguIxjdjpSEZ0vjnwxBM8MurwrJGxVlKtw
RwR0pn/CfeFf+g1D/wB8t/hXJ+CND0vWdX8QHUrGK6MV18nmDO3LNn+Vdh/whHhj/oCWv/fJp6Bq
R/8ACfeFf+gzD/3y3+FalvrGn3eltqkF0slmqsxmAOAF6n14wa57xB4Q8O2vh3ULiDSLaOWK2dkc
LypAODVPwz/ySKf/AK9bn/2agDaHj3wszADWYSScD5W/wrfZ1RC7HCgZJ9q4DwB4Z0TUvCtveXum
wT3BkfMjjnhuK79lVkKMMqRgj2oGc/8A8J94V/6DUP8A3y3+Fal9rGn6bYLf3l0kNs+3bIwODnpX
C/Ebw3ouk+GBc2Gmw2832hF3oOcEHIq38QOPhxan3g/9BoEd1FLHPEksTq8bgMrKcgg9xTq8v0PV
9R8BTWtnq5afRr1FkgnAJ8osATj6Z5H4ivTYpY54UmhkWSNwGV1OQwPcUhlW81nTrC9trK7ukiuL
o4hjIOXOccfjU893b2pUTyhN3TPeuH8bf8j54X/66j/0MV3M9rBckGaJX29M9qirz8v7u1/PYCD+
1rD/AJ+V/I0o1WxJAFyuT7Gl/syx/wCfWP8AKlGm2QORbJke1cn+2/3fxAs1Xm1C0gkMcs6q46gg
0xL4vqb2fl4CLndnr0/xqSWxtZpDJLAjsepIrWVSdSL9g1dOzvfpuBF/a1h/z8r+RqzDPHcRiSJw
6HjIqpc6dZpaystsgIQkHHTim6H/AMgxP94/zrGnVxCrqlVtqm9L+XcDQooorvAx/F3/ACKOq/8A
Xq/8qpfDv/kR9P8Ao/8A6GaveLFZ/CeqKqlmNs4AAyTxVL4fI8fgqwWRGRhvyrDBHzntT6CMr4tf
8i1a/wDX4v8A6C1drbf8esX+4v8AKuM+K0Ukvhu1WKN5CLtThFLH7reldnb8W0X+4v8AKjoBw3iT
/kqvh/8A65/1au9rhPEUUrfFLQJFidkWPlgpIHLdTWt4n8Zf8I3eQ239k3V75se/fD0XnGDxQBYn
1fR4/GFvpclkW1OSLdHceUp2rgnG7qOAa3a8fuPFsk/ji28RDRb0RwQ+WYdp3HhhnOMfxV2vh3xz
/wAJBqosP7Gu7TKM/mS/d47dKLBczF/5LU//AF5/+yCu+rzHX9Uk0D4oS6p/Z9xdxrbqm2JTzlcd
cYq//wALUH/Qtah/n8KLAd/RXAf8LUH/AELWof5/Cui8LeKP+EmjuH/s64svIZRib+LOenHtSsO5
z3w2/wCQt4k/6+h/6E9dD4j8X6d4XeBL6O4c3AYr5KA4xjOcketYHw5ilj1bxEZInQNdAqWUjPzP
0zR48heXxZ4ZKwtIguPmwhYAb060+ouhW1r4naFqOi3tlDDeiS4geNS0agAkY5+arfhn/kkU/wD1
63P/ALNXafY7X/n2h/79iqevxBfDOpRxRgf6JKAqL/snsKAMX4Zf8iTbf9dJP/QjXWV5R4V8cP4d
0GLTZNCvp2jZm3qCAcnPQitj/hag/wCha1D/AD+FFguW/it/yJ4/6+k/kar/ABB/5Jva/WD/ANBr
A8X+M38TaJ/Z8Wh3tuwlWTe6kjjPHA966Hx/FJJ8OrZEjd3Bg+VVJP3fSgDpItMstX8M2dnf26zw
PbxEq3qFHIPasrW/FieFdYsrCfTDFpUke0XKdFPYADsO46+ldBpII0ayBBBFvHkHt8oo1TS7PWdP
ksb6ESwyDkd1PYg9iKQzifGMsc/jfwpNC6yRvIGV1OQwLryK63V5bhbm2igmaLzCQSD7ivNG8N6t
oHjPRrOZpbqwju1NrKFJVVLAkH+6fUV6RrTNHd2koRnCEsQo9xXDmLth20+35oEL/Z2p/wDQSP60
f2dqf/QSP60f29/05TUf29/05TVwc2A/nl98h6kllps9veG5nuBKSuDwc1pVRs9T+2T+V9mkj4zl
ulNutW+y3DQ/ZZJNuPmXoa7aNXC0KPNB+635vX8wLV3/AMec3/XNv5VV0P8A5Bif7x/nUP8Abo/5
8ZqBroAwLGYfSsXi8K6yq8+ya2fUDWoqrY3v21XbyXi2nGG71ar06dSNSKnF6MQUUUVYBRRRQAUU
UUAGaKKKACjNFFABmiiigAooooAKKKKADNGaKKADNFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
AH//2Q==
--_004_CA7E867D448D8B489EFF2E97E266038A1DACA657RAEX01raprintin_--
