Malware News and Trends

David Balaban

Subscribe to David Balaban: eMailAlertsEmail Alerts
Get David Balaban: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


TeamViewer Security

How to Protect Your TeamViewer Account

Although the publisher of TeamViewer takes security seriously and ensures encrypted communication between endpoints and servers through RSA-2048 and AES-256 ciphers, there have been incidents where perpetrators successfully used the app in large-scale hoaxes. It turns out that the Internet scoundrels don't necessarily have to get around the strong crypto defenses to deploy their devious stratagems.


Ransomware, a real scourge of the present-day Internet, has been reportedly circulating over unauthorized TeamViewer sessions. This issue recently got into the spotlight as multiple computers became infected with a strain of crypto malware that encodes files and appends them with a ".surprise" extension. The extortionists in charge of this campaign demand a certain amount of Bitcoins for decryption, where the size of the ransom may vary depending on the victim. If the Trojan hits a large enterprise network, the fee can be as high as 25 BTC.

All of these incidents turned out to have a common denominator as far as the contamination mechanism is concerned. The victims had an instance of TeamViewer installed and running at the time of the compromise. According to the traffic logs, a user with an unfamiliar ID had furtively initiated a remote access session and deployed the ransomware executable, namely the surprise.exe file.

Since man-in-the-middle attacks are virtually unfeasible due to reliable end-to-end encryption of every TeamViewer session, the most likely way to pull off an assault like that is by entering one's credentials, including user ID and password. The vendor has refuted all claims of a security breach, so it's not entirely clear at this point how exactly the perpetrator managed to hack into targeted systems. One of the possible causes is a leak of user credentials that are poorly protected by third-party service providers, argues TeamViewer's PR Manager Axel Schmidt. Obviously, this theory is only viable as long as the same password is used across different accounts.


A series of high-profile attacks backed by TeamViewer abuse took place in 2013. These incidents had a hue of governmental and industrial espionage as some of the victims were research organizations based in France and Belgium, as well as government-related institutions in Hungary and Middle East. A Trojan dubbed TeamSpy harnessed the functionality of TeamViewer to enable remote surveillance of targeted machines by the threat actors. The attackers installed a legitimate TeamViewer build on victims' computers, but they altered its behavior via a DLL path hijacking technique.

Not only did the criminals thus obtain unrestricted access to files on the infected workstation, but they could also install other malicious software without the user's awareness. TeamSpy malware established a secure connection with its Command & Control server to transmit the harvested sensitive data behind the scenes. It was primarily after Microsoft Office documents, PDF files, passwords and private crypto keys.


One of the defiant abuse campaigns broke out in 2011 and mainly targeted Windows users in Europe and North America. A group of individuals, who were most likely operating from India, made cold calls allegedly on behalf of Microsoft. In the course of the conversation, the impostors attempted to brainwash the unsuspecting collocutors into believing that their computers were at risk.

To that end, they would start off by asking the person to open Windows Event Viewer, which normally reports non-critical errors but the scammers said those were serious OS issues. The would-be victims were also told to access the folder with Windows prefetch files, all of which were wrongfully claimed to be spyware. Another trick had to do with the System Configuration panel, where the bad guys would draw the user's attention to the quantity of services whose status was stopped.

After the intimidation phase, the operators with Indian accent instructed the target users to download TeamViewer and provide the ID and password for the app so that they could purportedly troubleshoot the computer. In fact, though, the criminals would open a web browser remotely and bring up PayPal website, telling the user to submit a "lifetime fee" of $300 or so. If the person refused to pay, the attackers could take advantage of the TeamViewer session to wreak some havoc with the machine, like delete random files or remove hardware drivers to render the system inoperable.


To steer clear of security issues when using TeamViewer, it's recommended to follow a number of simple rules. For a start, it is important to verify if you have unattended access key enabled. Go to: TeamViewer >> Extras >> Options >> Security >> Personal Password. Keep in mind that anyone whom you grant remote access password (unattended access key) over this remarkable service can do pretty much anything they want with your computer, not necessarily benign stuff only. So make sure you trust that person, be it a tech support agent, a colleague or a friend.

Make use of White and Black lists to additionally improve the security of TeamViewer. Go to: TeamViewer >> Extras >> Options >> Security >> White List & Black | Set | Allow access only to the following ID and associates.

Download your copy of the application through official resources so that you can rest assured it's not backdoored or otherwise modified by criminals. Use a strong, hard-to-guess password to thwart unauthorized access. Don't hand over your ID to random people. Use two-factor authentication to log into your TeamViewer account, where an automatically generated security code needs to be entered along with the credentials proper.

Also, consider denying connections from outside your LAN network unless this contradicts your app usage patterns. You can as well take advantage of the built-in whitelisting feature to only permit connections for a certain range of IDs. If TeamViewer is currently not in use, exit the program in the taskbar - this way, no one will be able to access your machine even if they have your credentials. For more info and help visit TeamViewer security page.

More Stories By David Balaban

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.