Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Hackers hijack TeamViewer application to gain remote access

According to David Harley, ESET's senior research fellow, a Russian colleague uncovered the problem when examining sample code from Group-IB, the forensic investigation specialist.

Harley reports that TeamViewer was used in an incident related to the theft of money from a major Russian company.

The dropper, he explained, installs a backdoor in %WINDIR% and runs as server in console mode. A component of TeamViewer is then modified in order to inject code into tv.dll, communicating through the administrative control panel.

"While there's no indication that this is in any way connected with the support scams I've blogged about, it's disquieting but not surprising to see widely-used remote access tools misused for criminal purposes", he said in his security blog.

The command set used in the botnet includes instructions to start a command shell to make use of the compromised machine, to toggle monitoring, to exit Windows and/or power down, and to remove all traces of the bot.

It's important to note that TeamViewer is not itself susceptible to the attack, but is merely that its code is being tapped by the hackers in developing the fraud, Infosecurity notes.

It's also worth noting that other remote control applications could – in theory, at least – be tapped in a similar fashion to gain unauthorised access to a user's computer.

As one reader to Harley's weekend security blog noted, remote access software is very useful in the right context, but the trick is to be aware of when it is being misused.

There may be an argument, Infosecurity notes, to only enable remote access to a computer when you are away from the terminal, and not when you are in the office.