grandeduc - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How did Ammyy Admin software get repeatedly abused by malware?

The remote administration Ammyy Admin software was repeatedly found to be spreading different types of malware. Expert Nick Lewis explains how enterprises should protect themselves.

The banking Trojan Lurk was discovered to be spreading through remote administration software downloaded from the compromised website of software maker Ammyy Admin. When the installer is downloaded, it secretly launches the Lurk malware dropper, which has functionality to detect if the computer is part of a corporate network. Ammyy Admin software has been abused by six different types of malware in the last year. How did this happen? Should enterprises be actively checking for malware in remote access tools like Ammyy Admin?

Remote administration tools are an absolute necessity for enterprises and even for individuals that want to get help from a remote friend. They are very powerful tools -- and with great power comes a certain amount of risk. If these tools are not appropriately secured, they can be used by an attacker to gain complete remote access to a system. Some remote administration tools even have functionality for working through all but the most restrictive firewalls. Each tool has different strengths and weaknesses; some have the ability to integrate with other tools or are multi-platform, so each enterprise chooses different tools to fit its needs. There is a wide variety of remote administration tools available, ranging from the legitimate like the Microsoft remote administration tools, to the less legitimate DameWare or Back Orifice, to the outright malicious Poison Ivy RAT. Then, there is the Ammyy Admin software.

The Ammyy Admin software is a free zero-configuration remote admin tool. In a report by Kaspersky Lab, researchers describe how the Lurk malware and then the PSW.Win32.Fareit malware were bundled with the Ammyy Admin installer. Kaspersky reported six times to Ammyy Admin that its website and software installer were distributing malware. It is unknown why malicious files kept getting published by Ammyy Admin, but the Ammyy Admin installer isn't signed, which could be an indicator its software developers don't have security integrated into their software development.

Secure software development must be used for something as security critical as a remote administration tool. Signing the installer would help prevent bundling malware with the installer, but the distribution of malware from the Ammyy Admin website is also very concerning and calls into question the company's operational security practices. Given these issues, enterprises should investigate any detection of the Ammyy Admin software as if the endpoint has been compromised. Enterprises could detect Ammyy Admin by monitoring their network, monitoring the files on endpoints to look for matches to the MD5 signatures published by Kaspersky, or by using an endpoint security tool that detects remote administration tools.

Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Learn how to develop a cybersecurity strategy that's more aware of attack methods

Find out how a remote access Trojan like GlassRAT escapes detection

Read about the best incident response tools for the enterprise

This was last published in December 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal