No announcement yet.

Fresh RealVNC attack

  • Filter
  • Time
  • Show
Clear All
new posts

  • Fresh RealVNC attack

    One of my servers is running VNC 4.1.1 with access to and from the internet.
    I know that is a bit dangerous but it's protected by a strong windows password, and never left unlocked.
    Today while I was working on it, a cmd line windows opened suddenly, trying to get "84785_redworld2.exe" from an ftp site.

    After a deep search I've found out that:

    1) There is a known RealVNC 4.1.1 bug that allow the attacker to bypass the vnc password, released in 05.2006 :

    2) In the last 2 days (since 17.9.06 ) some users running RealVNC 4.1.1 are suffering the same attack as I did. (link to a spanish security forum)

    3) Only PrevX has detected this threat:;1].EXE.html
    Major antivirus/antspyware vendors have no idea about it.

    Possible solutions:
    Obviously, closing any VNC services opened to the internet. It seems that the newer version 4.1.2 is OK. Other flavours of VNC are not involved.

    VNC users be aware !


  • #2
    Re: Fresh RealVNC attack

    Originally posted by ariel-s
    ... Major antivirus/antspyware vendors have no idea about it.
    Thnx for posting, however this is not a AV issue, but an VNC issue. I still don't understand why VNC is beďng used for remote control of a server instead if secure RDP.
    See this great article written by Jason Boche
    or see:

    However there is a fix for this issue, or it is the upgrade. I haven't tested it or read it completly.,00.html

    security hole has surfaced in a program IT administrators use to access remote machines, but fixes are available.

    A flaw in the authentication process of RealVNC (Virtual Network Computing) software could allow attackers to gain remote access to an affected VNC server and compromise it, Cupertino, Calif.-based AV giant Symantec Corp. warned in a message to customers of its DeepSight Threat Management System.

    "During the initial handshake and authentication process between VNC clients and servers, a list of authentication methods is sent to clients," Symantec said. "The client chooses a method and returns a byte specifying the method it wishes to continue with."

    The flaw appears because the server doesn't properly validate that the requested method sent by the client is actually one of the methods allowed by the server. "This issue allows remote attackers to request an anonymous authentication method, which will be incorrectly accepted by the server," Symantec said. "This allows them to gain full control of the VNC server session."
    Last edited by Dumber; 20th September 2006, 11:20.
    Technical Consultant

    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"


    • #3
      Re: Fresh RealVNC attack


      I can't use RDP 'cause it's a win2k pro machine that I call "server" .
      Sometimes I prefer VNC to trick apps that are rdp aware (i.e. installing symantec products).

      Even it's a VNC issue, this file redworld2.exe is apparently a kind of spyware, malware, troyan or alike.

      Though the flaw is some months old, it appears that some hacker is exploting it the last few days, what makes the issue pretty actual.




      • #4
        Re: Fresh RealVNC attack

        ahh, so you don't use a real server

        about the file: redworld2.exe i can't find anything about it and about the file 84785_redworld2.exe i've got only 2 hits in google. Maybe a renamed file. Quite strange. I don't know what it is. (and reverse engineering is still what i need to learn )
        Technical Consultant

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"


        • #5
          Re: Fresh RealVNC attack

          Indeed a "fresh" attack all the way from May 08, 2006
          "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan


          • #6
            Re: Fresh RealVNC attack


            Read again the msg pls: THe flaw is from may, the attack is from 17.09.06


            • #7
              Re: Fresh RealVNC attack

              I have to admit I have VNC on my servers but only as a stand-by as I'm outsourced and it was installed throughout the organisation when I arrived.
              Personally I use TS on the servers and VNC on PC's.

              It goes without saying I have just disabled VNC on my servers with access to the internet . Thanks for the heads up
              The Univurse is still winning!

              W2K AD, WSUS, RIS 2003. ISA also AVG Server
              ** If contributors help you, recognise them and give reputation points where appropriate **


              • #8
                Re: Fresh RealVNC attack

                have the same problem here = Belgium.
                Windows XP PC is doing strange things
                Outlook Express 6 not working
                Norton can not be activated

                I'm afraid that all my information is copied ? Not ?
                What is best solution ?



                • #9
                  Re: Fresh RealVNC attack

                  The best solution is to start your own thread before Daniel see the thread you have hijacked.
                  Joined: 23rd December 2003
                  Departed: 23rd December 2015


                  • #10
                    more information about redoworld.exe

                    OK, my own security flaw went public !
                    By now Google is retrieving about 8 pages when searching for redworld exe

                    I've found Sophos the most explicit, and I couldn't found anything at symantec.


                    Nothing said there about spreading using vnc, but I suppose that once that the system is infected, it doesn't matter how the pest reached.

                    djdave, if your system is infected, these are the risks :

                    Steals credit card details
                    Turns off anti-virus applications
                    Allows others to access the computer
                    Steals information
                    Downloads code from the internet
                    Reduces system security
                    Records keystrokes
                    Installs itself in the Registry
                    Exploits system or software vulnerabilities
                    Scans network for vulnerabilities

                    I recommend you to analize the article and follow the instructions ASAP.

                    Last edited by ariel-s; 3rd October 2006, 17:12.


                    • #11
                      Re: Fresh RealVNC attack

                      You may want to consider that RealVNC was not the source of the attack. We do not have RealVNC loaded on our machines, yet in the last few days we have seen mutliple servers infected. You may want to address that problem as a separate event.

                      We have found minimal information about this infection using Internet searches. These petri pages were helpful to me in finding information, so I am posting what I know, since this discussion is one of the few that shows up in Google searches.

                      The infected servers were Windows 2000, SP4, withOUT all the latest security updates loaded. Virus/worm-laden executables have included:

                      In one instance, an executable was named videoguard32.exe.

                      The signatures suggest W32/sdbot.worm.gen.h to McAfee, but Sophos suggests W32/Vanebot-M for 84785_redworld[1].exe (thank you ariel-s for the Sophos link), yet the activity on the servers does not follow what is described at McAfee nor at Sophos. I'm not an expert, but this suggests to me that we are seeing a new mutation or infection.

                      Despite running McAfee software, the viruses/worms reappear on our servers, often at C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5 and in C:\WINNT\SYSTEM32\DLLCACHE.

                      We don't know how the two are related or if they are. What we do see is that the Automatic Updates service has been disabled on our machines, a service by the name of "FIFA WORLD CUP 2007" or of "VIDEOGUARD" is running and can't be stopped, but can be disabled and appear to stay disabled on reboot.

                      The following seem to be common log entries on infected servers:
                      System log srv error 2019 "The server was unable to allocate from the system nonpaged pool because the pool was empty. "
                      System log srv error 2000 "The server's call to a system service failed unexpectedly. "
                      Security log event 529, Unknown user name or bad password, from workstation "WORKSTATION1".

                      The McAfee On-access scanning appears to have been disabled on multiple machines.


                      • #12
                        redworld and VNC

                        Dgranja, Hi.
                        Well, I was not really sure that VNC was the source of the attack, until I found other testimonies supporting this. The posts at the forum
                        and this article about VNC and redworld
                        unluckily both written in Spanish.

                        The attacker could be using VNC flaw as well as other windows vulnerabilities to install the troyan. In your case, you state that your servers aren't updated with latest security patchs, what could explain how you were attacked.

                        It seems that PrevX knows how to deal with redworld, may be you want to give it a try.




                        • #13
                          Re: Fresh RealVNC attack

                          Hi guyz... My first time here....

                          I've followed this Redworld2 attack for months now - since one of my office's pc infected. What I can say is that if it already downloaded the redworld.exe thing, it then rename the file into something like winsvc.exe and cannot be removed just like that. In fact you cannot even end the process started by this file. So what I did was :-

                          1. go into safe mode
                          2. remove it from the folder it resides - C/Windows/System or sometimes
                          C/Windows/system32 - means you have to check both.
                          3. Find the same filename in the registry. You will find some key with that name.
                          Normally in MRUList.
                          4. Delete it.
                          5. Restart the computer. Dont worry if you got the "Generic Host Process" error.
                          That can be fixed by restoring the system into earlier time.

                          But try not to restore it before deleting the file. This is because if you restore the system without deleting the file, this malicious file will still be there. And it will still be running - don't know why but my guess is that it was in the system folder. So the file will run no matter if it is registered or not.

                          But one more problem that I find is the number and the name is not usually same. Can anybody tell me how to make sure that the attack was the same attack? Because once it was inside and already take control, it will delete the traces it left behind.

                          Another problem occurs even after the system was restarted is that it will block the network or maybe using it for itself because the system wasn't in the network but the shared folder still can be accessed. Can anybody help me on this?


                          • #14
                            Re: Fresh RealVNC attack

                            VNC 4.1.2 addresses the "access without password" flaw in VNC 4.1.1 and has been available for download free for months.

                            The answer is, keep your remote access products up to date!

                            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                            Anything you say will be misquoted and used against you