The backdoor trojan – named BackDoor.TeamViewer.49 – was first discovered and analyzed at the start of May by Russian security software firm Dr.Web. The malware is delivered by a multi-stage method, and the trojan’s aim is thought to be the relaying of Web traffic, effectively turning the infected machine into a proxy server for hacker exploits. And this action of course conceals their IP addresses.
The malware is concealed in an operational Flash Player update package. If the user installs the update, they also get an element of the malware called Trojan.MulDrop6.39120 – it is this that covertly installs TeamViewer on the host machine. The use of the data-sharing app by hackers is not new – earlier this year there was evidence that an earlier version had been compromised and used to gather user data. That exploit could perhaps have been a developmental trial for this campaign.
Dr. Web came to the proxy conclusion when they found that data was not being stolen. A .dll file in TeamViewer (avicap.32.dll) runs on auto in an OS; the malware authors have replaced this with their own version and also hide the T/V icon to keep its operation covert. When everything is up and running, BackDoor.Teamviewer connects to and awaits instructions from the hacker’s command and control server. This is done using an encrypted channel. At this point, the victim’s IP becomes that of the crook, masking the origin of who-knows-what crime – and putting the infected PC on record as implicated in the exploit.
A spokesperson for TeamViewer responded: “While we will have to look closer into this matter, the real issue is the installation of a malware program. Once a system is infected, perpetrators can virtually do anything with that particular system – depending on how intricate the malware is, it can capture the entire system, seize or manipulate information, and so forth“.
At the moment, the real intent of the BackDoor.TeamViewer.49 hackers is not known. It will be revealed eventually. In the meantime, remove Flash Player – or if you can’t live without it, go directly to the developer’s site to check for updates.