Q

How to manage TeamViewer security risk, mitigate the TeamSpy malware

In light of the recent TeamSpy malware, Nick Lewis examines whether TeamViewer's security risk has reached an acceptable level for enterprises.

My group at work is spread all over the country, and we make use of TeamViewer, so I was concerned by a recent malware attack against the tool. Could you explain what the malware attacks and whether TeamViewer security risk is too great to still safely use it for sensitive communications? Also, is there any way to tell if sensitive information was previously captured by this malware?

Ask the Expert

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous)

The TeamSpy malware is installed when a user downloads a malicious DLL packaged with the remote administration tool TeamViewer. TeamSpy uses a command-and-control infrastructure along with TeamViewer to control and monitor infected endpoints. This malware is similar to other malware strains used for monitoring or capturing sensitive data, with the twist that it uses the TeamViewer software as part of the monitoring. Keep in mind that the malware is essentially an illegitimate version of TeamViewer, so it is important to download the software from trusted sources to reduce the security risk posed by TeamViewer. TeamViewer recently released a new version featuring security updates, so enterprises using the product should download and implement the new version as soon as possible.

Unfortunately it is often difficult to determine conclusively whether malware has accessed sensitive info. If the data was stored on the system and the user had access to the data or entered data on the system, then the malware could have accessed that data. Depending on whether the malware had keystroke logger functionality (in the case of TeamSpy, once an attacker gained control of a target machine using TeamViewer, he or she could easily install additional malware), user keystrokes may have been captured. If the malware was able to capture accessed data, it is possible the malware captured the data and sent it to an external system. To identify whether any data was accessed or saved by attackers, you could analyze the local file system for new or modified files; but unfortunately, it is fairly easy to change the times on files if this functionality is included in the malware.

A network forensics tool that captures all network traffic sent outside of the network could help determine if data was sent from a system, if the data sent wasn't encrypted or how much data was sent from the compromised endpoint. This is a fairly resource-intensive method of tracking whether data was sent from a compromised system, but it does provide a more reliable picture than would otherwise be available.

This was first published in December 2013

Dig deeper on Secure Remote Access

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close