TeamSpy: Backdoor to the Viewer

Today, the Laboratory of Cryptography and System Security (Crysys) at Budapest University of Technology and Economics, released their research ­around a targeted attack they have identified, named TeamSpy. Symantec has had protections in place for this threat since 2011, and we currently detect this threat as Backdoor.Teambot. We also have the following IPS protections in place:

  • System Infected: Backdoor.Teambot Activity
  • System Infected: Backdoor.Teambot Activity2

This attack abuses the popular TeamViewer remote administration tool to control the malware running on victim machines. The Trojan packages the legitimate application along with a malicious DLL and uses an encrypted configuration file containing parameters to communicate with command-and-control (C&C) server.

And Backdoor.Teambot has evolved during the past two years. The most current version has been observed with modules performing significantly more surveillance, for instance. The code found on the C&C server also shows minor modifications to support changes in communication techniques.

Based on our data since 2011, a number of countries have been impacted by this threat.

Figure 1. Countries affected by Backdoor.Teambot

A control panel on one of the C&C servers displays a list of compromised clients along with information about their Teamviewer credentials.

Figure 2. Backdoor.Teambot C&C server control panel

We also observed compromised machines from as early as 2011.

Figure 3. Some Backdoor.Teambot 2011 compromised machines

To ensure that your machine is protected from Backdoor.Teambot and other threats, please ensure that your computer has the latest patches installed and that you have the most up-to-date antivirus definitions installed.