[CS-FSLUG] TightVNC as botware?

Peter J. Vasquez Sr. pjvasquez at baeyogin.com
Tue Feb 15 07:24:23 CST 2011 

Ed,

On Mon, Feb 14, 2011 at 8:46 PM, Ed Hurst <ehurst at soulkiln.org> wrote:
> One of my clients had TightVNC installed on her XP box, and had no idea what
> it was or how it got there. I didn't trace the IP to which it connected,
> just uninstalled it. I noticed updates were also turned off, something which
> also puzzled her. As soon as I turned it back on, we got SP3.
>
> I was wondering if anyone had ever heard of TightVNC as a means to remote
> control for nefarious reasons.

Yes, I have seen VNC as an attackers method to control a remote
system.  This is largely inefficient though, as spawning remote shells
tend to occupy less resources and have the same result (full control
of the infected system(s) ).

Typically, the use of VNC as an attackers tool is done by lesser
experienced blackhats.  The installation of VNC can be disguised in an
e-mail as something else while VNC is silently installed in the
background, or even only temporarily running while other software is
installed (such as in single-click from UltraVNC, which is intended as
a remote support tool but can be modified for use in nefarious
activities).

The danger from this type of remote control is obvious, but largely,
the exposure happens at the end of inexperienced blackhat.  To make a
lot of VNC type attacks requires exposing the VNC server port to the
Internet to allow the infected to connect back (this is backwards from
typical VNC installations, and requires less work/modification at the
remote machine).  The exposure of so many ports makes the blackhat a
potential target for others, but before that, very easily identifiable
by the ISP who would likely shut them down quickly.

Let me know if you have any other questions.  If I know the answer, I
will reply with more information.

>
> --
> Ed Hurst
> --------
> Open for Business - http://ofb.biz/
> Kiln of the Soul - http://soulkiln.org/
> blog - http://soulkiln.blogspot.com/
>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com
>

More information about the Christiansource mailing list