Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is RemoteUtilities safe?


  • Please log in to reply
1 reply to this topic

#1 MM_john

MM_john

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 30 June 2015 - 12:35 AM

The RemoteUtilities remote access tool by the Usoris company is commonly reported by antimalware tools. Today i ran Hitman Pro and ESET Online Scanner and both reported it.

 

Obviously, any remote access software is inherently risky. And this program is not as popular as cisco webex or citrix gotomypc or logmein, so perhaps that's a problem.

 

But, maybe there is something malicious going on with this software?

 

I use the software and they have an active forum with a paid support person Conrad Sallian who appears to be a native english speaker. I've posted there several times and gotten good response.

 

When LogMeIn ended their free program, RemoteUtilities responded by initiating their own. Free for 10 remote computers.  It's pretty full-featured. It's pretty stable; i use it every day and i have to restart the local viewer about once a week, and the remote host about once a month, but i'm also behind the most recent version.

 

In this topic on 12/17/2014 Conrad Sullivan reports

 

after our second review request Google lifted the malware warning at least in Google Webmaster Tools.

 

That had to do with Google flagging their "agent.exe" download.

 

But in this topic topic just a few days ago he reports

 

We received a response from them[Google] just now. They say that's it's still "malware".

 

Here's virus total on the "agent.exe" download and the two main images it forks

 

Agent.exe 21/54 detects, 5 up votes, 0 down

https://www.virustotal.com/en/file/00ac7713d4eb20fcf58c61d827c84105b979fef83a127d7ef1799bb322f8c26a/analysis/1435640795/

 

rfusclient.exe 12/54 detects, 2 up votes, 0 down

https://www.virustotal.com/en/file/5efbf58ea9244f75ed292723f34b07d4fc6f65fec3ebdcd3fe9d41027df093c1/analysis/1435640800/

 

rutserv.exe 13/53 detects, 10 up votes, 0 down

https://www.virustotal.com/en/file/4d8ba1984b18d2c7a94e1c988010e47398d8f86c81dc070ff2d7588120b29c0e/analysis/1435640805/

 

So what do yall think?


Edited by MM_john, 30 June 2015 - 04:36 PM.
Seemed better in General Security


BC AdBot (Login to Remove)

 


m

#2 MM_john

MM_john
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 30 June 2015 - 06:47 PM

1.

 

The links above are for an older version of the program v5.6.

 

Here's the virustotal for the newest "agent.exe" v6.3

https://www.virustotal.com/en/file/1b71e579af7c138736de3dce6fcfa1c3a173be66be0e8bf5a8ffbd70a4a11296/analysis/xe

 

15/56 detect; no votes yet; it was released June 18, 2015, so 12 days ago as of this writing.

 

2.

 

The problem here is that trying to use this program for remote support, you want the easiest possible experience for the user at the other end. First, because they might be inexperienced, second, because they might be experiencing issues doing things on their PC that make getting agent.exe to run difficult anyway.

 

To that end, I was experimenting. I wrapped up agent.exe into a .zip file using 7-Zip v9.04 Beta. The resulting hash was apparently new to virustotal, but still 21/55 detects, ie, everybody (well at least 21 of them) un-zipped and scanned.

<https://www.virustotal.com/en/file/5759cd1b135a9a2cc49969cd434d6312f4f7dbb26c5d594c4a1b38d03344e496/analysis/1435694816/>

 

Then I thought, what if I encrypt with a password? So I did <https://www.virustotal.com/en/file/52a49eaf4d027c9f79563ba5ef89165985b55a010621c1f89fe7d172b111eaf1/analysis/1435695168/>

 

To my surprise, one AV vendor, Fortinet detected as 'Riskware/RemoteAdmin_RemoteUtilities' which i thought was strange. I guess you can see filenames without decrypting, and although "agent.exe" is pretty generic, I thought maybe Fortinet was going off the filename. So i renamed the file, zipped again, and submitted to virus total <https://www.virustotal.com/en/file/8dd08b213569e8dd793dfef6208cc7a51adfacbdee1a3b70c0b04218f65bad6f/analysis/1435695525/>

 

Still Fortinet decrypted.

 

Both of the above were with 7-Zip's default Encryption Method "ZipCrypto".

 

So tried with the other Encryption Method called "AES-256". Sure enough, now Fortinet reported as safe, presumably because it could not decrypt <https://www.virustotal.com/en/file/9ceccbe9f660b9be036fae4b7aa59194ebb8d6fd7b93c8d17847c4814f9406bc/analysis/1435695836/>

 

So, this raises 2 questions.

 

2.a. If Fortinet can decrypt ZipCrypto then I assume everyone can. And I assume every AV should to maximally protect their users. But the others don't.  Or is there something else here I can't see.

 

2.b. According to virus total's binary yes/no reporting, all these AV programs report "Safe" for an encrypted, password protected .zip file, presumably whatever it contains. Now I understand if you can't decrypt it, you can't analyze it, and perhaps if these AV's are running on your system they might report 'suspicious' or some other grey rating. And perhaps virustotal reports grey ratings as green check marks. I don't have any of these AV's installed so i can't test them right now.

 

Or, is the fact that, when password protected, the end user has to type in the password, and that means if it's malware, it can't auto-start, and THAT'S why these AV's say it's safe?

 

(Perhaps this post, altho a reply, belongs more in 'Anti-Virus and Anti-Malware Software'?)

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users