August 31, 2011

A new Internet worm has been reported that spreads via Microsoft's Remote Desk Protocol (RDP). This worm scans an infected host's subnet for other hosts running RDP and attempts access to them using a pre-configured set of user names (including "administrator") and passwords. According to Microsoft, this worm can be remotely controlled and updated, such that infected hosts may be ordered to perform denial-of-service attacks or other functions. Because of this, the behavior of the worm may change over time.

Detailed information about the worm, including detection and cleaning, is available here:

This threat can be mitigated by following some basic security best practices. First, ensure that you are enforcing strong password choice on your user accounts. Note that the unique 'Administrator' account password AWS automatically assigns to your instance upon launch complies with this recommendation and should be sufficiently strong to make brute force password guessing infeasible. If you use the EC2 Windows Configuration Service to override this automatically assigned password, please ensure that your selection is cryptographically strong. Microsoft guidance on creating strong passwords can be found here: and instructions on using the Windows Configuration Service can be found here:

Second, ensure that you are restricting inbound RDP (TCP 3389) to only those source IP addresses from which legitimate RDP sessions should originate. These access restrictions can be applied by configuring your EC2 Security Groups accordingly. For information and examples on how to properly configure and apply Security Groups, please refer to the following documentation: