Solved

Viruses or spyware infiltrating an RDP session?

Posted on 2008-06-17
9
932 Views
Last Modified: 2013-11-21
Is it possible for a remote user who is accessing a Terminal Server via RDP to have virus/spyware from their local computer infect the server they are logging into or have virus/spyware from the Terminal Server they are logged into infect their local PC? Assume there are no shared drives/mapped drives in the TS session. I know that while they are in their terminal session they could download 'bad' stuff and it could infect the server if not trapped.  As well I know they could minimize their terminal session and go out to the Internet directly through their PC and get the local PC infected. But can any virus/spyware jump from either the local desktop to the remote desktop or vice versa during a terminal session?
0
Comment
Question by:lineonecorp
9 Comments
 
LVL 5

Accepted Solution

by:
jenkinsme earned 32 total points
ID: 21809526
In theory anything is possible. However I have not heard of any viruses that are linked to RDP or any VNC client for that matter. They would need to somehow get the virus to transfer over the RDP port directly and would be very hard to "hide" that kind of virus.
0
 
LVL 31

Assisted Solution

by:Frosty555
Frosty555 earned 31 total points
ID: 21809539
I could imagine a virus that is basically an RDP client, just like the remote desktop client that comes with windows. Except it would connect to the server (provided it knew the credentials to use, possibly obtained via a keylogger or some other social engineering), then connect to the remote server and perform a set of actions that would cause the server to download and execute an infected file.

Or if the virus isn't specifically an RDP client, it could just wait for an RDP session to start, then take over the mouse/keyboard and cause the server to download/run an infected executable.

But wow that would be a longshot. It would be something very targeted, maybe a script a disgruntled employee might deploy. Certainly not something I've ever actually heard of in real life.
0
 
LVL 17

Assisted Solution

by:Malmensa
Malmensa earned 31 total points
ID: 21809637
I have seen several virii of late that infect USB keys, and autorun as soon as it is plugged in.  If you mapped drives in the RDP session, a virus on a USB key would have an easy way in.  These virii are certainly out there right now, and could certainly get in like that.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 32

Assisted Solution

by:r-k
r-k earned 31 total points
ID: 21810108
Theoretically, yes. Practically, this is very difficult, and the returns (for the virus writer) are slim, so I am not aware of any virus that attempts to exploit this.

The task for the virus writer is not easy. First, they have to infect the server. Next they have to find a way to infect the PC via the RDP connection, i.e. they have to discover and exploit some weakness in the RDP protocol and client. Finally, they have to live with the knowledge that relatively few PC's would get infected this way. It is just not worth their time considering how many easier ways exist to attack end-user PC's in other ways (such as email, web browsing, music sharing etc.)
0
 
LVL 17

Expert Comment

by:Malmensa
ID: 21810166
This common virus wouod have no problems infecting a Terminal Server, if the option to map USB drives is enabled:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDELF%2ECFQ&VSect=P
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 21822621
This depends on if the terminal server has autoruns enabled for removable storage.

Personally, on all my computers I disable autorun, and I would expect any prudent administrator to do the same on their terminal server, if it isn't already disabled by default.

0
 
LVL 17

Expert Comment

by:Malmensa
ID: 21951687
Autorun is on by default.  
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This is a video describing the growing solar energy use in Utah. This is a topic that greatly interests me and so I decided to produce a video about it.

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now