Sheldor-Shocked

My Russian colleague Aleksandr Matrosov reports that this week he received an interesting sample from forensic investigation specialists Group-IB.

The threat in question is detected by ESET products as Win32/Sheldor.NAD, and coverage by other vendors is reasonable: see http://www.virustotal.com/file-scan/report.html?id=9f3ff234d5481da1c00a2466bc83f7bda5fb9a36ebc0b0db821a6dc3669fe4e6-1294926672.

The interesting feature of this sample is that it uses the TeamViewer 5.0 standalone component to effect remote control of the infected machine.

TeamViewer's Digital Certificate

 It was used in an incident related to the theft of money by way of an unauthorized accounting transaction affecting a major Russian company. The dropper installs a backdoor in %WINDIR% and runs as server in console mode. One component of TeamViewer is modified in order to inject code into tv.dll, communicating through the administrative control panel.

The Bot's Network Activity

While there's no indication that this is in any way connected with the support scams I've blogged about so often here (which tend to make use of another utility), it's disquieting but not surprising to see widely-used remote access tools misused for criminal purposes.

Shutdown Command Code

 Its command set includes instructions to start a command shell to make use of the compromised machine, to toggle monitoring, to exit Windows and/or power down, and to remove all traces of the bot. 

David Harley CITP FBCS CISSP

Author David Harley, ESET

  • Steffen

    Interesting article. Do you then recommend not to use remote control software on the computer?
    I’m using Teamviewer 6 now on all computers in LAN at home and use Teamviewer a lot to help friends who have computer problems. Or is only Teamviewer version 5 effected by this virus?

    • David Harley

      Remote access software is very useful in the right context. The trick is to be aware when it’s being misused. Unfortunately, that can be quite a difficult trick…

  • Randy Abrams

    Teamviewer is not affected by the threat, it is used by the threat. Rather than write their own remote control software they simply used Teamviwer to allow remote control.

  • Steffen

    Thanks for your answer.
    I can imagine, if more and more people are using easy to use remote desktop software, then the cybercriminals are of course also trying to missuse those applications for there business.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

1 article related to:
Hot Topic
14 Jan 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.