Undetected Threats: LogMeIn

Bogdan Bot-Rus on August 26, 2009

LogMeIn is a graphical desktop sharing system. After installing LogMeIn on a Windows machine (the host), users can control the desktop of that machine from virtually anywhere via:

Any web browser (ActiveX add-on, Java plugin client, Firefox plugin)
Windows or iPhone or BlackBerry Storm application (LogMeIn Ignition)

Product Name	Similar Products	Price	Advantages
LogMeIn Free	Remote Desktop Services (formerly known as Terminal Services) Virtual Network Computing (VNC)	Free	Is not detected by firewalls, Intrusion Detection Systems, network security scanners.Allows connecting from anywhere on the internet to machines without routable IP addresses.

How can I detect and/or filter LogMeIn Network Traffic?

The machine where LogMeIn is installed initiates and maintains a constant HTTPS connection to the LogMeIn, Inc servers; the firewalls treat this as an outgoing connection as if a user is navigating to an HTTPS site.

Below is a Wireshark capture of the network traffic to and from the LogMeIn application installed on the host computer.

<localhost> 35641 <DNSServer> 53 DNS Standard query A secure.logmein.com

<DNSServer> 53 <localhost> 35641 DNS Standard query response CNAME secure.logmein.com.akadns.net A 77.242.192.193

<localhost> 2474 77.242.192.193 80 TCP 2474 > http [SYN]

77.242.192.193 80 <localhost> 2474 TCP http > 2474 [SYN, ACK]

<localhost> 2474 77.242.192.193 80 TCP 2474 > http [ACK]

<localhost> 2474 77.242.192.193 80 TCP [TCP segment of a reassembled PDU]

<localhost> 53211 <DNSServer> 53 DNS Standard query A control.app105.logmein.com

<DNSServer> 53 <localhost> 53211 DNS Standard query response CNAME app105.logmein.com A 77.242.193.145

<localhost> 2475 77.242.193.145 443 TCP 2475 > https [SYN]

77.242.193.145 443 <localhost> 2475 TCP https > 2475 [SYN, ACK]

The above capture shows all of the types of traffic done by the LogMeIn application. The application connects via HTTP to secure.logmein.com to and receives a web page that contains the host name of a LogMeIn gateway. Then, the application connects via HTTPS to the received host name.

In order to detect LogMeIn applications in your network, monitor network traffic to *.logmein.com domain.

In order to block LogMeIn applications, make the DNS lookup not work correctly for *.logmein.com domain or block network traffic to and from *.logmein.com domain.

How can I detect LogMeIn using GFI LANguard 9?

From the GFI LANguard Scanning Profiles Editor select the current profile and add the application named “LogMeIn” as shown in the screen shot below.

After changing the scanning profile, perform a security scan using that profile. A high security vulnerability warning will be generated.

About the Author: Bogdan Bot-Rus

8 Comments

HandyAndy August 26, 2009 at 2:29 pm
This is good info for folks that want to block LMI, but there are a lot of us that use it in our day to day business, it is a great tool. Please do not go so far as to identify it as maleware, as some other vendors do; who I will not name but a yellow box comes to mind.
Thank You,
ha
BogdanB August 27, 2009 at 12:10 pm
Hi Andy,
LogMeIn provides some of the functionality that admins have been using SSH for (and they have been using SSH for decades now).
Similar to a SSH server, LogMeIn definitely cannot be considered as malware out of the box as it has very legitimate uses. Unfortunately what is happening is that LMI could be installed without the administrators’ knowledge or consent. That automatically increments the risks associated with the network.
So I would say I agree with you as long as a balanced approach is taken and admins remain in control on what is installed on their network and what is not…
Thanks,
Bogdan
Bernard August 28, 2009 at 10:08 am
this is definitely not malware! I use it on a day to day basis to remotely administer client’s pcs, and it saves heaps of time both on site and on the road, and there are millions like me, so please do not label it as malware! it is both password protected, over a secure connection, and we good people pay to use it to administer systems remotely ovet the net without all the garbage required by some other sollutions (god forbid, do not even think about setting remote desktop services!!)
thanks
Emmanuel Carabott August 31, 2009 at 11:09 am
LogMeIn is not malware and that’s not what the author was claiming. LogMeIn has a legitimate use and a not so legitimate one. Its legitimate use is okay and no one is arguing against that. However consider the following scenario – Policy and mechanism are in place to protect your internal company network; employees cannot access the internal network from outside, until one employee installs logmein or any such service on his personal machine at work (it doesn’t neccessarily have to be malicious, he could have done it in good faith to be more productive); however, his home machine which has fewer security mechanisms in place is compromised, a keylogger is installed and login and password to that logmein account are recorded by an attacker, who can now use that logmein to penetrate into your internal network and most likely get access to valuable information.
Mind you, I am not saying that no one should use Logmein. Logmein has a number of security procedures in place, such as to restrict access to a specific IP and to notify people by email as to when a successful/failed login occurs. However if an employee installs this on his machine without administrator knowledge then it’s quite possible that none of these features are available. Whoever installs it might not have security knowledge and this can put your network at risk.
This service, and others like it, is a conduit that goes right through the perimeter. I agree that this service is not malware; however, I agree with Bogdan Bot that this is something that administrators should keep a look out for when it crops up in their network without their knowledge/authorization. It is important that such services, when in use, have their own monitoring in place and this cannot occur if the Administrator doesn’t know about its use on his network in the first place – that’s where the above article is valuable.
Keith September 10, 2009 at 8:53 pm
LogMeIn has great potential for abuse. We had to fire an employee last year who was cheating on his time by using LogMeIn to log in to our web-based time and attendance system from home. The time clock will only accept connections from our corporate gateway address, and he was logging into his work computer from home to get around this. We caught him when he was arrested on an outstanding traffic warrant on the way to work one morning, but the time clock showed him punched in at 8 AM. For this reason we want to at least be able to monitor LogMeIn connections to internal IP addresses.
john February 4, 2010 at 3:49 am
my girlfriend installed logmein and now she has access to my computer. i have decided i don’t want anyone to have access to my computer. how do i block her ability to log on to my laptop.
Emmanuel Carabott July 21, 2010 at 5:12 pm
It’s probably a bit late now (sorry John); however, just uninstall LogMeIn client which you can do by accessing the Add/Remove program section of your control panel (if you’re using XP or program and features in later).
Logmein is just one option though there are other software that allow you to connect to a remote computer such as VNC, Remote Desktop, PC anywhere and others.
A personal firewall might help by blocking and alerting you of connection attempts.
Terry Bates December 22, 2010 at 4:29 pm
Until last night I would agree with most of you all. I am a computer tech, not an engineer nor programmer. But I am trained in troubleshooting computers and have worked on them for over 30 years. I am serious about it being 30 years. My first computer was a Texas Instrument TI 99/4A – Then on to Atari 6502C cpu based computers, ran a 300 baud BBS before anyone I knew had heard of the internet.
Ok, well, after saying all of that stuff I just wanted to go on the record that I installed logmein.com – the free trial version just two days ago on my girlfriends and my computer so I could operate my computer from her house and share my frustrations from what happened afterward. I had used logmein many times in the past with no security problems at all…..I liked log me in a lot, I used the free version many times off and on over this decade with no negative issues at all. Please read on…
Because of serious medical problems the only money I really ever make is repairing computers out of the house, but it’s not much money at all, there is very little business traffic out here in the sticks. I have 4.5 terabytes online with two TB more on the way.
Because of all the viruses I remove from other customer’s computers I know all too well what anti-virus programs work and don’t, and I have a lot of security on my computer of all types, even though I have nothing of interest for a hacker, no credit card info, just some passwords to music sites and such. But still, I do not like the idea of running a Zombie computer sending out porn and prescription med spam out to a billion people every day without me knowing about it! I take many precautions on my home computers, some say it’s over kill. I wont go into details of all the names and types of programs I use, but I normally run a very tight ship…..
So last night I log into my computer from my gal’s brand new computer and I noticed my antivirus settings had been changed. In fact, instead of scanning every day, it had not scanned in a couple days. Furthermore I re-set my antivirus to the settings I wanted and did a full scan remotely asp.. I surfed for maybe ten minutes and went to look at my anti virus scanner at home. Mind you, within one hour of installing Logmein.com BOTH computers at play were free of any virus and spyware, clean as any PC could be. Within about 48 hours I suddenly discover almost 50 High level Viruses!!! I found alerts of every kind of Virus and Maleware in the world, and my scan was only at 20% complete!!!
All I could do was to remotely take my computer offline right then and there, and right now I am thinking about all of the work I know I will need to do to clean my system back up. Not fun. At the rate the scanner was picking them up I surely have hundreds of all sorts of viruses and they just HAPPENED to of emerged within hours of me installing logmein.com on two CLEAN computers with heavy security on both of them. Now what would YOU think caused my problem? It’s difficult for me not to wonder somewhat.
I am NOT blaming logmein.com, but as I type this, THIS antivirus at my gal’s house is now going off like a cheap radar detector in a city full of motion detectors. So BOTH computers just happened to of caught hundreds of computer viruses within hours of installing and using logmenin.com. I do not know what caused this, I am shocked either computer can be turned on with such payload damage! Web-cams turning on, likely the mic too- I am very upset and I really wish I had not installed logmein.com, and I trusted them 100% until this happen. I used random made up passwords, and protected my computer with not one, but TWO random passwords made up of letters, numbers, some letters in caps and some letters small. Very unlikely anyone guessed my passwords because they were not even words.
To be Fair, and clear about this matter:
I am NOT blaming logmein for what happened, I have no proof, no evidence of any sort. Most likely I slipped up with my computer security programs, or websites infected it. But the TIMING is something I must keep in mind as I go down this road of trying to clean almost 5 Terabytes of data. So, just a heads up. Likely it was user error- me. I just thought I should mention this, that’s all. I hope you kind folks can understand why I felt the need to post this here. I may never known what started this, but I sure have a mess on my hands right now.
I wish you all a Merry Christmas and Happy Holidays. It appears we will have a white Christmas here in Kentucky, and that is rare for us.
Peace.

Comments are closed.

If you have used this form and would like a copy of the information held about you on this website, or would like the information deleted, please email privacy@gfisoftware.com from the email address you used when submitting this form.