ESET, a global pioneer in proactive protection for 25-years, have reported the increase in malware being installed via Remote Desktop Protocol (RDP). ESET warns that RDP can serve a variety of useful purposes, in the wrong hands it can be a remote control weapon that enables bad actors to zombify your computer and have it do their bidding.
How could this happen?
- If your computer is “listening” for an RDP signal
(typically over port TCP 3389), and it is connected to the Internet, it will respond when a remote user asks it if it’s alive. To the remote user, they will be presented with a login screen to your desktop, often without you noticing - If one’s computer have a poorly configured RDP setup, it may just let the remote user in.
- If you have administrative privileges assigned to the user they login as, they can take your computer for an unfettered spin around the block, ranging from turning it off, rebooting it, installing software (including malware).
How to Stop this?
- Disable RDP (Control Panel under System > Remote Settings > Remote Desktop (under Windows 7, other operating systems vary)
- If you choose to allow connections, take some time to define who you think should be connecting using the ‘Select Users’ dialog box
- Notice the user that you are logged in as already has access (blanked out, example: ______ has already has access). When remote attackers come calling this could pose problems for an unwitting user who is logged in as Administrator
- Do not use the password which can be easily guessed, as an attacker will always look to gain elevated access quickly
- An attacker attempts to encrypt files on the computer and extort money especially from credit card, which virtually guarantees further fraud – the whole thing could be simply avoided by disabling the service
- Strong username and passwords is recommended, may be the combination of upper and lower case letters, numbers, and symbols.
- If you need to use RDP and are more technically inclined you can change the port on which RDP “listens” for connections (the default port is 3389)
- Stay alert for those “Windows support” people who phone and ask you to install special remote access software to allow them to “fix” your computer
