BACKDOOR.TEAMVIEWER.49

 Crooks use your PC to hide their IP, funnel Web traffic. BackDoor.TeamViewer.49 is the name of a backdoor trojan discovered by Russian security vendor Dr.Web, who claims it will install the TeamViewer application on infected computers so that it can relay Web traffic from the crook to other servers on the Internet, effectively using the host as a proxy server.

Dr.Web researchers, together with security experts from Yandex, first discovered the trojan at the start of May, distributed via a complex multi-stage mechanism.

windows-trojan-uses-teamviewer-to-turn-your-pc-into-a-web-proxy

Initial infection occurs via a tainted Adobe Flash update package

Users don’t get infected with BackDoor.TeamViewer directly, but first through a malware dropper called Trojan.MulDrop6.39120, which Dr.Web says is distributed online together with an Adobe Flash Player update package.

When users install this malicious Flash Player update, they get a legitimate Flash version, but also the Trojan.MulDrop6 trojan, which secretly installs TeamViewer on the victim’s computer.

Dropping TeamViewer on infected devices is not something new, but the crooks don’t use it to log into the victim’s PC and take control of the device. Dr.Web claims that TeamViewer is used for something else.

Crooks don’t steal anything from infected devices

Crooks replaced TeamViewer’s avicap32.dll file with a malicious version that contains the BackDoor.TeamViewer trojan. Since TeamViewer automatically runs avicap32.dll in the OS memory, crooks only need to add auto-run functions to TeamViewer and make sure the app’s icon is hidden from the Windows notification area.

After the criminals make all the necessary modifications and TeamViewer is running, BackDoor.TeamViewer connects via an encrypted channel to the crooks’ command and control server, where it waits for instructions.

Dr.Web says that, in the versions it analyzed, the trojan’s main function was to operate as a Web proxy, taking traffic it receives from the C&C server and relaying it to the Internet, effectively masking the crooks’ real IP.

“While we will have to look closer into this matter, the real issue is the installation of a malware program. Once a system is infected, perpetrators can virtually do anything with that particular system – depending on how intricate the malware is, it can capture the entire system, seize or manipulate information, and so forth,” a TeamViewer spokesperson toldSoftpedia. “So first and foremost, it is important that users protect their systems best they can by having proper anti-malware in place.

 Source : SecurityNewsPaper