[Caution] Attacking tools using MS12-020 RDP vulnerability detected (#Update 02)

1. Introduction

INCA Internet response team detected attacking tools using MS12-020 RDP vulnerability on March 14.

MS12-020 fixes 2 vulnerabilities generated on remote desktop protocol which could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.

Most of Windows OS were set RDP function as unavailable by default, however, it can be vulnerable on security threat. Therefore, we recommend install latest security patch from being infected by network worm.

MSRC (Microsoft Security Response Center) set the patch "Critical" when internet worm is available.

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer. The protocol is an extension of the ITU-T T.128 application sharing protocol. Clients exist for most versions of Microsoft Windows (including Windows Mobile), Linux, Unix, Mac OS X, Android, and other modern operating systems.

[Related articles]

http://en-erteam.nprotect.com/2012/03/microsoft-security-bulletin-summary-for.html

http://technet.microsoft.com/en-us/security/bulletin/MS12-020

http://technet.microsoft.com/en-us/security/bulletin/ms12-mar

2. Attacking tools and code

About MS12-020(CVE-2012-0002) security hole, various PoC(Proof of Concept)s has been revealed in overseas countries including China.

Besides, MS12-020 PoC were leaked on purpose by Luigi Auriemma who officially reported this vulnerability.

http://aluigi.org/adv/ms12-020_leak.txt

http://threatpost.com/en_us/blogs/ms12-020-rdp-code-leak-mystery-deepens-microsoft-remains-silent-031612

 

In China, various attacking tools have been generated including IP/PORT scanning functions. If those files are spread as worm files, it can make additional damage cases.

INCA Internet response team is monitoring both CLI(Command Line Interface) based and GUI(Graphical User Interface) based attacking tools. Among those tools, we found some tools from China which can attack easily with just inputting target IP address.

Users won't be damaged by when malicious attacker just using tool, however, users need to maintain latest security update from being infected. 

MS12-020 attacking tools from China are easy to handle to malicious attack. INCA Internet response team detected that this tool can terminate remote PCs which are vulnerable in RDP.

When remote desktop connection is available, we can use this tool by inputting IP address of target PC and clicking attack button. Remote PC will appear BSoD and be rebooted.

In this procedure, "shutdown event tracker" can appear and waiting booting procedure which needs to be clicking OK button. Sudden reboot can occur unexpected damages.

3. How to prevent

This vulnerability can be protected by MS12-020 security update. Therefore, Windows OS users need to maintain the latest security update.

On using computer, security update is not selectable but essential. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

일