For many years we have been a customer of GoToAssist from Citrix (now LogMeIn) as a reliable method of providing remote support where its needed with the minimum of effort. The end user client can be downloaded from fastsupport.com on Windows & Mac (No Linux Support at present) and a simple 9 digit key connects the client to our support team. Because of the way GoToAssist works using HTTP channels for the connection it can operate through most firewalls and proxies without special considerations which puts it ahead of other point to point remote control tools. You can even remotely support users and servers from an iPad with a well implemented app. You can get a 30 day trial on the GoToAssist website.
For unattended machines such as servers or regular clients you can setup 'Unattended Support' which will allow you to remotely connect to a machine without the client having to do anything. Over the last few months we've intermittently noticed machines on our 'unattended' list that we don't recognise but as there's several people who use it regularly I had reasonably assumed it was one of my colleagues.
Today I noticed three new Unattended hosts.
I took the time to ask around who had created these and to my surprise no one had any idea. Clicking on one of them established a remote session with a machine at a site that we knew nothing about and didn't setup. Moments later the workstation was unlocked and were given desktop access. We immediately terminated this connection and contacted GoToAssist for Support. Despite their support line dropping our calls and their community forum preventing us from posting they did get back to us quickly and conducted an investigation.
LogMeIn, who took over GoToAssist identified that some of the workstations we were seeing on our account were in fact linked to our account and they went a step further to identify that the unique code used to identify each account was in fact ours. Further research identified that our copy of the GoToAssist unattended installer had been downloaded from our support site and that same copy had been installed on this clients machine.
Using this installer will silently setup unattended support on the clients machine and link that back to our account. Whilst this download is rarely used by us and only in circumstances where a browser is unable to work correctly such as old windows 2003 servers with ie6 etc, the file had been downloaded 266 times. So let's consider the risks here.
Firstly, having an unattended installer, which installs silently and without any user interaction is a good thing, it means we can in a worst case scenario use SMB to push the file onto a server and then persuade that file to be executed under the system or administrator context using the task scheduler, registry or by replacing a windows file and forcing a reboot. We can also distribute and auto-install unattended support on a corporate network by using a logon script to pull it from a server and execute it as part of the logon process and again the user doesn't get a choice. The unattended support installer does create a start menu item, but there's no 'uninstall' in there just the program so clients who have the control panel restricted can't subsequently uninstall it without permission.
So how did we get machines on our account from the other side of the world ? Well that's simple, they downloaded the GoToAssist client from our website and installed it. Even more bizarre is that they then proceeded to enter their login credentials into the unattended client using the notification icon. Hold that thought and instead let's consider that someone less honest was to seed the internet with their installer and instead of "The GoToAssist client for receiving remote support from us" they linked it from something like "Get GoToAssist remote for FREE" or "30 day free trial of GoToAssist", then those users would be opening their PC up to whoever without realising it and that might not end well. The unattended client does have a notification icon on windows (nothing on mac), but using the registry, powershell or some vbscript that can be hidden as part of the install making it invisible to the end user.
But taking a step back for one moment, the technical scope for abuse is about the same for GoToAssist as it is for any other remote control solution with the difference being that GoToAssist can pull the plug on any account they suspect is involved in abuse whereas some of the other products that are point to point don't have that safeguard. If you really want to stop GoToAssist, Teamviewer, RAdmin, VNC, and the rest then specifically block them at your firewall and the risk is gone. If you want to monitor their use then your firewall or proxy logs are your friend.
This has been a voyage of discovery for us with end users again doing the unexpected and causing chaos and confusion. We've pulled the downloads from our support site now and will look at a more selective method of file distribution going forward. If I were to make a product enhancement suggestion to LogMeIn then it would be to add the IP Address, the method of install and whether credentials were stored to the unattended machines window. Having the IP Address would let us track down poorly named or unknown clients quickly and knowing that it was installed within a GoToAssist session or via a downloaded installer would further clarify the situation. Knowing if credentials were stored would save time in having to establish a connection, find they are not then disconnect, lookup the credentials and reconnect. These are only suggestions and not complaints.