Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Viruses or spyware infiltrating an RDP session?

Posted on 2008-06-17
9
Medium Priority
?
962 Views
Last Modified: 2013-11-21
Is it possible for a remote user who is accessing a Terminal Server via RDP to have virus/spyware from their local computer infect the server they are logging into or have virus/spyware from the Terminal Server they are logged into infect their local PC? Assume there are no shared drives/mapped drives in the TS session. I know that while they are in their terminal session they could download 'bad' stuff and it could infect the server if not trapped.  As well I know they could minimize their terminal session and go out to the Internet directly through their PC and get the local PC infected. But can any virus/spyware jump from either the local desktop to the remote desktop or vice versa during a terminal session?
0
Comment
Question by:lineonecorp
7 Comments
 
LVL 5

Accepted Solution

by:
jenkinsme earned 128 total points
ID: 21809526
In theory anything is possible. However I have not heard of any viruses that are linked to RDP or any VNC client for that matter. They would need to somehow get the virus to transfer over the RDP port directly and would be very hard to "hide" that kind of virus.
0
 
LVL 31

Assisted Solution

by:Frosty555
Frosty555 earned 124 total points
ID: 21809539
I could imagine a virus that is basically an RDP client, just like the remote desktop client that comes with windows. Except it would connect to the server (provided it knew the credentials to use, possibly obtained via a keylogger or some other social engineering), then connect to the remote server and perform a set of actions that would cause the server to download and execute an infected file.

Or if the virus isn't specifically an RDP client, it could just wait for an RDP session to start, then take over the mouse/keyboard and cause the server to download/run an infected executable.

But wow that would be a longshot. It would be something very targeted, maybe a script a disgruntled employee might deploy. Certainly not something I've ever actually heard of in real life.
0
 
LVL 19

Assisted Solution

by:Mal Osborne
Mal Osborne earned 124 total points
ID: 21809637
I have seen several virii of late that infect USB keys, and autorun as soon as it is plugged in.  If you mapped drives in the RDP session, a virus on a USB key would have an easy way in.  These virii are certainly out there right now, and could certainly get in like that.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 32

Assisted Solution

by:r-k
r-k earned 124 total points
ID: 21810108
Theoretically, yes. Practically, this is very difficult, and the returns (for the virus writer) are slim, so I am not aware of any virus that attempts to exploit this.

The task for the virus writer is not easy. First, they have to infect the server. Next they have to find a way to infect the PC via the RDP connection, i.e. they have to discover and exploit some weakness in the RDP protocol and client. Finally, they have to live with the knowledge that relatively few PC's would get infected this way. It is just not worth their time considering how many easier ways exist to attack end-user PC's in other ways (such as email, web browsing, music sharing etc.)
0
 
LVL 19

Expert Comment

by:Mal Osborne
ID: 21810166
This common virus wouod have no problems infecting a Terminal Server, if the option to map USB drives is enabled:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDELF%2ECFQ&VSect=P
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 21822621
This depends on if the terminal server has autoruns enabled for removable storage.

Personally, on all my computers I disable autorun, and I would expect any prudent administrator to do the same on their terminal server, if it isn't already disabled by default.

0
 
LVL 19

Expert Comment

by:Mal Osborne
ID: 21951687
Autorun is on by default.  
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question