Trojan Utilizes TeamViewer Remote PC Control Software

Monday, January 17, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

A popular remote PC control software has apparently been usurped for use in a banking Trojan that was recently used in an unauthorized transaction that affected a large un-named Russian company.

Aleksandr Matrosov of computer forensics specialists Group-IB has discovered that the Sheldon Trojan is utilizing the TeamViewer remote control software, according to a post by David Harley posted at the ESET Threat Blog.

The use of the TeamViewer 5.0 standalone component allows the attacker to create a command shell on the infected machine.

The hacker can then execute command and control functions including shutting down the Windows operating system software and erasing traces of the bot's presence.

"It was used in an incident related to the theft of money by way of an unauthorized accounting transaction affecting a major Russian company. The dropper installs a backdoor in %WINDIR% and runs as server in console mode. One component of TeamViewer is modified in order to inject code into tv.dll, communicating through the administrative control panel... it's disquieting but not surprising to see widely-used remote access tools misused for criminal purposes," Harley writes.

The Trojan's use of the otherwise legitimate TeamViewer remote access software allows the intruder to bypass authentication protocols and is alleged to have been key to the successful exploit against the Russian company.

Source:  http://blog.eset.com/2011/01/14/sheldor-shocked

Possibly Related Articles:
21414
Viruses & Malware
Authentication Remote Access Exploits Headlines hackers TeamViewer Sheldon Trojan bot command shell
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.