Introduction
I just noticed that my BlueKeep honeypot keeps blue screening. This was clear to me as every time I tried to do something on it it was at the login screen (even though I was logged onto the desktop previously) and once I’d log in it informed me it had just recovered from an unexpected shutdown.
This hyper-v virtual machine is just a virtual machine patched against everything except the BlueKeep vulnerability. And it’s been busy BSOD’ing lately. The BSOD’s started September 26th and have increased in frequency since early October, with 3 BSOD’s in one day (October 10th).
Note: The VM was installed June 8th, 2019 and had no issues at all until end of September when the BSOD’ing started.
I wasn’t sure if this was down to lack of RAM on the VM or something else (possibly related to BlueKeep) so I downloaded a BSOD analyzer from NirSoft and the results were interesting.
As you can see the bug check string for the last 5 blue screens was an ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY and there are 2 RDP related system drivers involved namely:
- rdpdr.sys
- rdprefmp.sys
Here’s some details about the rdpdr.sys file.
and rdprefmp.sys is also a system driver.
In fact most of the blue screens were caused by this driver.
The question is why ? is it a worm trying to gain access or something else, let’s keep an eye on it and hopefully I’ll know more soon.
Related Reading
Patch against the BlueKeep vulnerability, even the NSA is warning you