Educause Security Discussion mailing list archives
Re: Dameware mini remote control
From: Alex <alex.everett () UNC EDU>
Date: Thu, 21 May 2009 09:27:48 -0400
Actually, dameware is still commonly seen on compromised systems. It's a different type of miscreant that has migrated to irc or custom p2p binaries for management. We had seen a number of systems with the standard or modified binaries hanging out in windows\addins Someone commented earlier about Symantec not flagging DameWare. Personally, I believe its because their product is not what it should be. Hard to believe a legitimate case for remote admin binaries in unusual locations. -Alex Everett, CISSP, CCNA University of North Carolina -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of William Forte Sent: Thursday, May 21, 2009 9:02 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Dameware mini remote control Wow, someone using Dameware for legitimate purposes? Now that's a shocker. Couple years back that was the number one sign of trojan infection that I came across. Dameware NT was a favorite among the script kiddies and malware writters. Most of them eventually realized that it was impossible to manage a botnet over 10 - 15 computers in a "hands-on" type of administration style. Eventually they all migrated to IRC bots &script execution and then eventually to web based call-ins. It's worth noting that you should check out http://secunia.com/advisories/product/3247/?task=advisories, and make sure your vendor isn't doing something dumb like using an old version of the product. Dameware has a lot smaller market share than VNC or RDP so I'd suspect not a lot of security researchers spend a massive amount of time looking for vulnerabilities in it. Nonetheless, if you properly utilize the IP filtering (and/or use IPSec), enable encryption, and maybe even require that they VPN in prior to connection then you can basically lock it down to the point where someone would have to hack your vendor/other IPs you allow access, before they are going to be able to hack your display units. Respectfully, William Forte Information Security Specialist - University of Rhode Island
Attachment:
smime.p7s
Description:
Current thread:
- Dameware mini remote control Mayne, Jim (May 18)
- <Possible follow-ups>
- Re: Dameware mini remote control Kellogg, Brian D. (May 18)
- Re: Dameware mini remote control Wayne J. Hauber (May 19)
- Re: Dameware mini remote control Ullman, Catherine (May 19)
- Re: Dameware mini remote control Clark, Sean (May 19)
- Re: Dameware mini remote control Ullman, Catherine (May 19)
- Re: Dameware mini remote control Phil Lambert (May 20)
- Re: Dameware mini remote control William Forte (May 21)
- Re: Dameware mini remote control Alex (May 21)