Educause Security Discussion mailing list archives

Re: Dameware mini remote control

From: Alex <alex.everett () UNC EDU>
Date: Thu, 21 May 2009 09:27:48 -0400

Actually, dameware is still commonly seen on compromised systems.
It's a different type of miscreant that has migrated to irc or custom p2p
binaries for management.
We had seen a number of systems with the standard or modified binaries
hanging out in windows\addins
Someone commented earlier about Symantec not flagging DameWare.
Personally, I believe its because their product is not what it should be.
Hard to believe a legitimate case for remote admin binaries in unusual
locations.

-Alex Everett, CISSP, CCNA
University of North Carolina

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of William Forte
Sent: Thursday, May 21, 2009 9:02 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Dameware mini remote control

Wow, someone using Dameware for legitimate purposes? Now that's a shocker.
Couple years back that was the number one sign of trojan infection that I
came across. Dameware NT was a favorite among the script kiddies and malware
writters. Most of them eventually realized that it was impossible to manage
a botnet over 10 - 15 computers in a "hands-on" type of administration
style. Eventually they all migrated to IRC bots &script execution and then
eventually to web based call-ins.

It's worth noting that you should check out
http://secunia.com/advisories/product/3247/?task=advisories, and make sure
your vendor isn't doing something dumb like using an old version of the
product. Dameware has a lot smaller market share than VNC or RDP so I'd
suspect not a lot of security researchers spend a massive amount of time
looking for vulnerabilities in it. Nonetheless, if you properly utilize the
IP filtering (and/or use IPSec), enable encryption, and maybe even require
that they VPN in prior to connection then you can basically lock it down to
the point where someone would have to hack your vendor/other IPs you allow
access, before they are going to be able to hack your display units.

Respectfully,
William Forte
Information Security Specialist - University of Rhode Island

Attachment: smime.p7s
Description:

Current thread:

Dameware mini remote control Mayne, Jim (May 18)
- <Possible follow-ups>
- Re: Dameware mini remote control Kellogg, Brian D. (May 18)
- Re: Dameware mini remote control Wayne J. Hauber (May 19)
- Re: Dameware mini remote control Ullman, Catherine (May 19)
- Re: Dameware mini remote control Clark, Sean (May 19)
- Re: Dameware mini remote control Ullman, Catherine (May 19)
- Re: Dameware mini remote control Phil Lambert (May 20)
- Re: Dameware mini remote control William Forte (May 21)
- Re: Dameware mini remote control Alex (May 21)