Solved

Viruses or spyware infiltrating an RDP session?

Posted on 2008-06-17
9
939 Views
Last Modified: 2013-11-21
Is it possible for a remote user who is accessing a Terminal Server via RDP to have virus/spyware from their local computer infect the server they are logging into or have virus/spyware from the Terminal Server they are logged into infect their local PC? Assume there are no shared drives/mapped drives in the TS session. I know that while they are in their terminal session they could download 'bad' stuff and it could infect the server if not trapped.  As well I know they could minimize their terminal session and go out to the Internet directly through their PC and get the local PC infected. But can any virus/spyware jump from either the local desktop to the remote desktop or vice versa during a terminal session?
0
Comment
Question by:lineonecorp
9 Comments
 
LVL 5

Accepted Solution

by:
jenkinsme earned 32 total points
ID: 21809526
In theory anything is possible. However I have not heard of any viruses that are linked to RDP or any VNC client for that matter. They would need to somehow get the virus to transfer over the RDP port directly and would be very hard to "hide" that kind of virus.
0
 
LVL 31

Assisted Solution

by:Frosty555
Frosty555 earned 31 total points
ID: 21809539
I could imagine a virus that is basically an RDP client, just like the remote desktop client that comes with windows. Except it would connect to the server (provided it knew the credentials to use, possibly obtained via a keylogger or some other social engineering), then connect to the remote server and perform a set of actions that would cause the server to download and execute an infected file.

Or if the virus isn't specifically an RDP client, it could just wait for an RDP session to start, then take over the mouse/keyboard and cause the server to download/run an infected executable.

But wow that would be a longshot. It would be something very targeted, maybe a script a disgruntled employee might deploy. Certainly not something I've ever actually heard of in real life.
0
 
LVL 18

Assisted Solution

by:Mal Osborne
Mal Osborne earned 31 total points
ID: 21809637
I have seen several virii of late that infect USB keys, and autorun as soon as it is plugged in.  If you mapped drives in the RDP session, a virus on a USB key would have an easy way in.  These virii are certainly out there right now, and could certainly get in like that.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 32

Assisted Solution

by:r-k
r-k earned 31 total points
ID: 21810108
Theoretically, yes. Practically, this is very difficult, and the returns (for the virus writer) are slim, so I am not aware of any virus that attempts to exploit this.

The task for the virus writer is not easy. First, they have to infect the server. Next they have to find a way to infect the PC via the RDP connection, i.e. they have to discover and exploit some weakness in the RDP protocol and client. Finally, they have to live with the knowledge that relatively few PC's would get infected this way. It is just not worth their time considering how many easier ways exist to attack end-user PC's in other ways (such as email, web browsing, music sharing etc.)
0
 
LVL 18

Expert Comment

by:Mal Osborne
ID: 21810166
This common virus wouod have no problems infecting a Terminal Server, if the option to map USB drives is enabled:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDELF%2ECFQ&VSect=P
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 21822621
This depends on if the terminal server has autoruns enabled for removable storage.

Personally, on all my computers I disable autorun, and I would expect any prudent administrator to do the same on their terminal server, if it isn't already disabled by default.

0
 
LVL 18

Expert Comment

by:Mal Osborne
ID: 21951687
Autorun is on by default.  
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question