Skip to main content

Beware of RDPClient.exe, a Malware Leaked From Microsoft’s labs

Used to demonstrate some of Microsoft Windows's flaws, a malware which can take advantage of the host computer has been accidentally leaked and can be found on the web.

Microsoft urged Windows users to install the MS12-020 update in order to fix a flaw that affected the Remote Desktop Protocol.

Back then, the company stressed that there were no malware in the wild that could take advantage of the exploit although Microsoft ominously warned everyone to expect an attack in the following 30 days.

Source code submitted privately to Microsoft to demonstrate this RDP flaw was leaked by unknown sources and could been found on some Chinese websites.

Yunsun Wee, Director of Microsoft's Trustworthy Computing division, has confirmed a match between this code and vulnerability information shared with MAPP partners.

The code is compiled as "rdpclient.exe" and uses pre-built packets to crash a computer by submitting a shutdown command.

Fortunately, this is the only action the malware does, although Microsoft acknowledges that other variants can access confidential files and even create administrator accounts with full rights.

Although the code developer blames Microsoft or one of its security partners for leaking the program, Aaron Portnoy, ZDI's Manager of Security Reasearch, told ArsTechnica they have clean hands.

The malware affects all users of Windows XP, Vista, Windows 7, Windows Server 2003, 2008 and can be fixed by updating these platforms to the latest version but neither Windows 8 or Windows Home Server 2011

Source: ArsTechnica, TheVerge