Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389

Erik Soosalu erik.soosalu at calyxinc.com
Fri Jan 13 13:17:28 UTC 2012

Wouldn't this just be an indication of that block being scanned for open
3389 ports from that IP?  You're just looking at the return traffic to
the scanning host.

-----Original Message-----
From: James Braunegg [mailto:james.braunegg at micron21.com] 
Sent: Friday, January 13, 2012 7:37 AM
To: nanog at nanog.org
Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability -
outbound traffic 3389

Hey All,

Just posting to see if anyone has seen any strange outbound traffic on
port 3389 from Microsoft Windows Server over the last few hours.

We witnessed an alarming amount of completely independent Microsoft
Windows Servers,  each on separate vlan and subnets (ie all /30 and /29
allocations) with separate gateways on and completely separate
customers, but all services were within the same 1.x.x.x/16 allocation
all simultaneously send around 2mbit or so data to a specific target IP

The only common link was / is terminal services port 3389 is open to the
public. Obviously someone (Mr 133t dude) scanned an allocation within
our network, and like a worm was able to simultaneously control every
Microsoft Windows Server to send outbound traffic.

Microsoft Windows Servers within the 1.x.x.x/16 allocation which were
behind a firewall or VPN and did not have public 3389 access did not
send the unknown traffic

Would be very interested if anyone else has seen this behavior before !
Or is this the start of a lovely new Zero Day Vulnerability with Windows
RDP, if so I name it "ohDeer-RDP"

A sample of the traffic is as per below, collected from netflow

Source                  Destination         Application         Src
Port       Dst
x.x.x.x/16         ms-wbt-server  3389       51534
x.x.x.x/16         ms-wbt-server  3389       52699
x.x.x.x/16         ms-wbt-server  3389       60824
x.x.x.x/16         ms-wbt-server  3389       51669
x.x.x.x/16         ms-wbt-server  3389       49215
x.x.x.x/16         ms-wbt-server  3389       62099
x.x.x.x/16         ms-wbt-server  3389       65429
x.x.x.x/16         ms-wbt-server  3389       51965
x.x.x.x/16         ms-wbt-server  3389       50381
x.x.x.x/16         ms-wbt-server  3389       59379
x.x.x.x/16         ms-wbt-server  3389       58103
x.x.x.x/16         ms-wbt-server  3389       59514
x.x.x.x/16         ms-wbt-server  3389       58298

This occurred around 10:30pm AEST Friday the 13th of January 2012

We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP
ranges which were totally unaffected.

Kindest Regards

James Braunegg
W:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
E:   james.braunegg at micron21.com<mailto:james.braunegg at micron21.com>  |
ABN:  12 109 977 666

[Description: Description: Description: M21.jpg]

This message is intended for the addressee named above. It may contain
privileged or confidential information. If you are not the intended
recipient of this message you must not use, copy, distribute or disclose
it to anyone other than the addressee. If you have received this message
in error please return the message to the sender by replying to it and
then delete the message from your computer.

More information about the NANOG mailing list