Digital Edge is committed to providing the highest levels of security within all the IT infrastructure environments under its care. In order to achieve this utmost goal for all of our clients, we continuously maintain vigilance both on the productive side of IT as well as on its destructive side. We thus send out news and security bulletins such as this one from time to time to ensure that our clients are informed and educated on any important developments in IT security and are fully aware of what we are doing to ensure that we and our clients are always at the Cutting and at the Digital Edge of technology.
Our Analysis:
Even though the situation is still not clear, the Digital Edge Security Team sides with security expects blaming a BackDoor Trojan discovered in May of 2016. The signature for the Trojan was added on 05/26/2016. The version of Trojan - BackDoor.TeamViewer.49 utilizes TeamViewer as its backdoor implementation and is delivered by Trojan.MulDrop6.39120 through Adobe vulnerability. Even though the Trojan is supposed to hide the TeamViewer interface and use its functions in the background, we believe that mutation of the virus (the virus uses advanced hiding techniques) can create an unpredicted effect on the systems with legitimately installed TeamViewer causing effect described by users that reported the compromise.
The Trojan is delivered by Trojan.MulDrop6.39120 discovered in the beginning of May 2016. The dropper pretends to be an Adobe player upgrade and installs BackDoor.TeamViewer.49 Trojan on the affected computer. The Trojan main payload is injected in avicap32.dll. The virus uses base64 encryption and uses advanced technique to hide its session from the users.
The Trojan injects itself in auto run. When activated the Trojan can act as a remote access as well as a proxy to transfer commands from C&C to another machine on the LAN.
The Trojan can execute the following commands received over HTTPS:
disconnect—terminate the connection;
idle—maintain the connection;
updips—update the auth_ip list with the one specified in the command received;
connect—connect to the specified host server. The command must consist of the following parameters:
ip—host server’s IP address;
auth_swith—use authorization. If the value is set to “1”, the Trojan receives the auth_login and auth_pass parameters. If the value is “0”, the Trojan gets the auth_ip parameter. Otherwise, the connection will not be established.
auth_ip—IP authentication;
auth_login—login;
auth_pass—password.
The Trojan can execute the following commands received over the binary protocol:
Authentication—depending on the auth_swith parameter, the Trojan sends either data on the auth_ip parameter or auth_login and auth_pass.
Keep-Alive (0x01)—maintains the connection to the server.
Send Data (0x02)—searches for the signature in the Trojan’s body:
Control commands are performed via a binary protocol.
The Trojan is capable of accessing browser password cache.
Recommendations:
Even though Digital Edge’s Security Team believes that the reported incidents are the result of BackDoor.TeamViewer.49 and no real TeamViewer credentials are used, we suggest to check your account for unauthorized access:
Once you’ve logged into your account head to the top-right corner and click on your username, followed by Edit Profile. Then select Active Logins. This will list every device and location that has access your account within the last year.
You can also check your TeamViewer logs for any unscheduled activity. The logs can be found here:
C:\Program Files\TeamViewer\TeamViewerXX_Logfile.txt
C:\Program Files\TeamViewer\TeamViewerXX_Logfile_OLD.txt
Head to your log and give it a read through. Check for any irregular IP addresses. Search the log for “webbrowserpassview.exe” and if you get a positive hit, immediately change all of your passwords.