0
Since there has to be some data transfer between any two machines that have established a connection, is it truly “safe” to connect from a clean computer to an infected one using VNC or TeamViewer?
Benjamin R
Posted 2014-11-28T03:36:34.467
Reputation: 412
1
There is a major difference between using VNC and using TeamViewer in this scenario, I will try to list some of them and I hope someone can edit and add other points that I'll probably forget to mention, but for those who only want the conclusion: Using TeamViewer is safer, but not too safe.
Suggestion: I suggest you booting up from a live Linux distro USB, unmount all HDD partitions, make sure you are NOT root then connect to the other machine, this is the safest way that can defeat most of malwares.
TeamViewer is designed to put some transparency between clients connecting with each other (no local direct connection is established), plus it's well maintained from their team, taking in hand the safety approach as a big factor I can say. In the other hand, VNC is designed to connect locally or remotely (which means it can be more dangerous when used locally).
TeamViewer also keeps live track of the files transferring between devices (by live I mean a pop-up window will be shown with details about files), but when it comes to VNC then you have to go through some logs (if logging is enabled) to find any suspicious activity (Good luck!).
From TeamViewer support site (TeamViewer manual), if you read from page 21 to 23 you can have a better idea of the security file transfer implementation, logging of file transfer operations, ...etc.
Also TeamViewer is designed ontop of VNC project, both are open source softwares which can be a major factor from security perspective, (remember the not so long found hidden 20 years old vulnerability in bash, also ~5 years in Windows, OpenSSL, etc...).
I think the major security advantage is that TeamViewer uses DynGate which is a kind of firewall, it tunnels your connection through HTTP (or secure HTTP), and it doesn't require ports to be opened on the firewall, so for both points, if your system is secure, TeamViewer is a better solution.
I must say in the end, the malware itself should be designed to take advantage of a running service in order to infect your machine, so if the malware is sophisticated enough, not the environment nor the service will matter. An example of trying to take advantage of TeamViewer, let's say I am designing a malware, what I will do is try to establish connections through QuickSupport mode which hides pop-ups and in this mode all file system operations are allowed, but since you are establishing the connection to the infected machine, this implementation won't work because you will decide what mode you want to work with the remote machine not my malware.
Ash
Posted 2014-11-28T03:36:34.467
Reputation: 133
1
To the best of my knowledge, the only potential risk presented when connecting to an infected machine remotely would be if you are doing active file transfers between machines or open up some connection on your local VNC/TeamViewer machine that would allow the infected machine to actively act on your machine.
An edge risk is that—let’s say—your client machine has a similar vulnerability to the infected machine. And that vulnerability is network based… Then let’s say a port is open on your client machine, and the remove machine sees you connecting to their machine… It might start to probe your client machine for vulnerabilities and possibly act on them. But I would consider that an edge case based strictly on malware behavior and not some generic thing one would worry about.
So if you were truly worried and the infected machine is Windows, then I would recommend using a VNC client on a Linux or Mac OS X machine to connect to the remote machine. The difference in operating systems is enough to ensure nothing from the infected machine would magically “jump” to the non-infected VNC client you are using.
In general, I would’t worry… Unless you need to do file transfers.
JakeGould
Posted 2014-11-28T03:36:34.467
Reputation: 38 217
1Thanks for the tip about using alternating OS's as a safety 'membrane'. It would be great to hear from someone who could confirm this from technical experience, but otherwise I will mark it as answered if that isn't forthcoming. – Benjamin R – 2014-11-28T07:23:14.767
@BenjaminR Fair enough. But if you think about what VNC entails, there’s very little risk in how the protocol works/behaves. – JakeGould – 2014-11-28T07:25:26.450
Could you go into detail? – Benjamin R – 2014-11-28T07:43:40.073
@BenjaminR No detail needed. All VNC does is open up a protocol connection between the client and the remote machine to basically pass along the equivalent of screenshots as well as allow for keyboard and mouse control. That’s it. The only way malware could jump into your machine is if it is specifically designed to be a VNC-based piece of malware, but that is uncommon. For all intents and purposes, as long as the file system is not opened to writing on a connecting machine you should be safe. If others have more details I would like to hear them as well. – JakeGould – 2014-11-28T07:49:15.583
When you say "transparency", do you mean a "transparent buffer"? Because the way you have used it in a sentence could mean more a more direct and clear connection between the two machines which is the opposite of what you mean in the rest of your answer :) – Benjamin R – 2014-11-28T15:59:44.320
1When the term transparency is used, it means there is one or multiple points in between two points and they act like they don't exist, that's what I meant. Anyway, I searched a little more and I will edit my answer according to what I've read to make things accurate as soon as I can. – Ash – 2014-11-29T14:26:24.997