Post #290,481
8/8/07 7:31:40 AM
|
VNC replacement?
There appears to be a new virus going around that looks for RealVNC servers and rootkits the machine hosting the VNC. Thereafter it spreads throughout the system. This has shown up on our test labs. I really don't like the idea of having to wander all over the labs to chase down data or make changes so I use VNC a lot. Windows only, this is a typical work environment.
Does anybody know of a really cheap replacement* for VNC.
*The hardware kids are doing N radios and all the version spins are killing our budget, so free is the preferred level of cheapness :(
Thanks,
Hugh
|
Post #290,486
8/8/07 7:48:18 AM
8/8/07 7:48:42 AM
|
Why not Remote Desktop?
I was under the impression you had to work your ass off to make VNC secure, ie: had to tunnel it through ssh.
I stopped using it a while ago.
For Windows, I use Remote Desktop. It works better as well. And comes for free.
Edited by crazy
Aug. 8, 2007, 07:48:42 AM EDT
|
Post #290,487
8/8/07 8:05:54 AM
|
Thanks. I never used it before.
I'll look into it.
Are there any gotchas about Remote Desktop that I should know about setting up?
|
Post #290,492
8/8/07 8:54:57 AM
|
Check any QOS policies if there are routers in the mix
Peter
[link|http://www.no2id.net/|Don't Let The Terrorists Win]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
[link|http://kevan.org/brain.cgi?pwhysall|A better terminal emulator]
[image|http://i66.photobucket.com/albums/h262/pwhysall/Misc/saveus.png|0|Darwinia||]
|
Post #290,523
8/9/07 12:03:30 AM
|
Umm
Depends.
I seem to recall the user account has to be flagged on each system a certain way, ie: allowed to remote in. I'd have to check my work PC. which I'd have to rdesktop TO. But I don't have it's name/ip address here, so I can't look.
Ask tomorrow if you need the specifics.
On the other hand, you'll love it compared to VNC. VNC protocol SUCKS (especially when dealing with Windows as the host) as compared to RDP.
|
Post #290,525
8/9/07 1:04:22 AM
|
I think you're right
Believe they have to be in the Remote Desktop Users group.
Tom Sinclair
Kaylee: Wash, tell me I'm pretty.
Wash: Were I unwed, I would take you in a manly fashion.
Kaylee: Because I'm pretty?
Wash: Because you're pretty.
- "Heart of Gold", Firefly
|
Post #290,531
8/9/07 7:36:31 AM
|
Seems to work.
I had to go around and allow remote access and add allowed people, which is not a big deal, because for administrative purposes, most of the machines are administered by admin/password. We only put fictional users on with varying privilege for test purposes.
I can VPN in from home and still get to the lab through my usual proxies so that is pretty good.
The interesting thing is that when I log on remotely, it closes an open console session until I log off. VNC would allow somebody sitting at the console to steal the mouse back or change focus to a different window. It was a standard game when there wasn't enough to be irritated about.
It turns out that the virus only targets RealVNC 4.1.1 and they have a 4.1.2 version out that deals with the vulnerability so some people are going with that. There is also other VNC products from other companies that are not effected as well. So now we have competing remote access methods. Interesting times.
Thanks for the suggestion.
Hugh
|
Post #290,533
8/9/07 9:11:10 AM
|
Any info on the virus?
Rootkit, backdoor, worm? Does your anti-virus identify it or are you finding it through other means? I'm concerned about this because I know that VNC is used in several spots in my company, so any info I can gather and submit to our security team would be appreciated.
-----------------------------------------
Atheism is a religion in the same sense that not collecting stamps is a hobby.
|
Post #290,539
8/9/07 10:27:03 AM
|
Re: Any info on the virus?
This is what we got from company security:
Subject:Virus Outbreak (RealVNC)
Message:GTRC,
Forwarding case to Site Support to have the system reimaged and cleaned.
To summarize, the worm looks for any systems running RealVNC versions
4.1.1 and below, and if it finds one it uses an exploit to log into the system without a
username or password. Once on the system it downloads a rootkit, and begins to spread to other systems.
Once the system is infected, the new rootkit disables any AV scan running, and makes it very difficult to remove. We recommend that the machines be rebuilt if they are infected, until a proven method is discovered to remove the rootkit.
Infosec has blackholed the command and control server at this point, so no systems are under remote control, however if the DNS record changes, the machines will reconnect to the c&c server.
Infosec is in the process of scanning the network and identifying all systems with this virus signature. As a result, cases will be generated for remediation and assigned to On Site Services.
Type Trojan
W32/Tilebot-JS is a backdoor worm for the Windows platform which allows a remote intruder to gain access and control over the computer.
RealVNC
A flaw exists RealVNC server v4.1.1 and older which allows an attacker to override RealVNC server-side authentication. This could result in the attacker gaining remote control over systems running RealVNC server.
[link|http://www.purdue.edu/securepurdue/steam/newsDetail.cfm?NewsID=59|http://www.purdue.ed...ail.cfm?NewsID=59]
* RealVNC is currently not a "company" Supported application. We recommend removing or upgrading to the latest secure version.
This link also talks about it: [link|http://www.symantec.com/avcenter/attack_sigs/s21641.html|http://www.symantec...._sigs/s21641.html] HTH
|
Post #290,544
8/9/07 12:30:11 PM
|
Thanks, forwarded.
-----------------------------------------
Atheism is a religion in the same sense that not collecting stamps is a hobby.
|
