Unpatched Remote Access Tools: Your Gift To Attackers

Three-year old "TeamSpy" espionage campaign should be a wake-up call. Lock down your remote-access tools, or else.

Mathew Schwartz

March 22, 2013

4 Min Read
Network Computing logo

Help desk teams love remote-control software. When employees call with computer problems, the IT department can remotely take control of the user's machine, copy over files and set all application and operating system wrongs to right.

Unfortunately, they're not the only group interested in putting TeamViewer, Symantec PCAnywhere, UltraVNC or other remote access software to work. Attackers love the software too, because it allows them to avoid sneaking complex Trojan malware onto a targeted PC. Instead, they use the already installed remote control software to do the heavy lifting for them, and even run attacks from memory, thus making the exploits more difficult to detect, trace or investigate.

Take the three-year old "TeamSpy" espionage operation, first publicly disclosed Wednesday, that's been targeting high-profile users of the TeamViewer remote control, desktop sharing and file transfer software, which counts over 100 million people as users.

[ You also need to worry about passwords. Read Cisco Password Fumble: Hardware Security At Risk. ]

The TeamSpy attack campaign -- thought to have targeted fewer than 1,000 people to date, but also still to be in operation -- highlights that one of the most effective techniques for spying on people's PCs isn't to code up complex malware. Instead, why not target known vulnerabilities in the remote-control softwarealready installed on PCs to remotely control that software and copy over required attack modules?

In fact, that's exactly what the group behind TeamSpy has done. "To avoid alerting the user that somebody is spying on him, the attackers dynamically patch TeamViewer in memory to remove all signs of its presence," according to researchpublished by Kaspersky Lab.

This type of attack is elegant, because it avoids leaving many of the tell-tale signs that would otherwise be present after a malware infection, such as back-and-forth communications between malware-infected "zombie" endpoints, command-and-control websites that issue instructions and other websites that are used as data dumps. "Using teamviewer as a RAT [remote access Trojan] builds an operational signature, but reduces the operators' fingerprint," said the Bangkok-based vulnerability broker who goes by the name "The Grugq," via Twitter.

"Amusing to see that my anti-forensic strategies (also counterintelligence tenets) are used in the real world," he said, linking to an article he wrote for hacking e-zine Phrack in 2004 that details techniques for creating attacks that leave few recoverable traces for digital forensic investigatorsto study, such as running attacks in memory -- rather than from malicious files -- and using utilities built into an operating system to provide needed functionality, such as a backdoor.

This isn't the first security warning to be sounded over unpatched remote-control software. Notably, Symantec in January 2012 took the unusual step of recommending that all pcAnywhere users disable the softwareuntil the company could issue a patch, which it did one month later.

Symantec's warning was made in the wake of revelations that attackers had successfully breached Symantec's systems in 2006, stealing source code that they might have analyzed to find zero-day attacks to crack the encryption or otherwise exploit the pcAnywhere application, which had remained largely unchanged in the intervening years.

Just as worrying as the threat of corporate PCs being remotely owned via Symantec's software was the fact that the source code theft took five years to detect, meaning that such attacks might well already have been practiced for half a decade.

Which raises this question: Is using remote control software worth the risk, given the security issues highlighted by the active TeamViewer attack campaign, as well as the five-year window in which pcAnywhere users may have been exploited?

As a priority, all TeamViewer users should at least review their systems for signs of a TeamSpy attack. TeamViewer spokeswoman Magdalena Brzakala told Dark Readingthat any business that uses TeamViewer should immediately scan all systems for the presence of a file named "avicap32.dll," which is TeamViewer-targeting malware installed by attackers. She also recommended that users immediately update their TeamViewer software to the latest version and ensure they were running antivirus software with the latest signatures.

Kaspersky Lab, meanwhile, said organizations can protect themselves against TeamSpy attacks by scanning all PCs for the presence of the "teamviewer.exe" application, then locking them down by blocking access to the command-and-control domains and IP addresses used by TeamSpy attackers, which are detailed in a related Kaspersky Lab research report. In addition, "implement a rigid patch-management plan throughout the organization," it said, which will help keep TeamViewer up to date, thus helping prevent attackers from exploiting well-known bugs contained in previous versions.

Even better: Use a firewall on every system to whitelist IP addresses that are allowed to control any and all remote-control software. Block all unapproved IP addresses. Also block all unapproved software. Because in the wake of the TeamSpy attacks, the mandate for any business that uses remote-control software should be clear: Lock it down, or lose it.

About the Author(s)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights