A Corelight webinar by Richard Bejtlich I attended this week required GoToMeeting, and GoToMeeting left me some unwanted and largely hidden applications that regularly beacon home.
I have been working on a combination endpoint/network tool for my Mac, and it spotted some strange GoToMeeting activity during the meeting, but even a day later I continued to see some unexpected GoToMeeting traffic.
Figure 1 shows what what I initially saw when joining the Corelight webinar - GoToMeeting making a DNS query (label 1), and then making a large number of encrypted connections to numerous domains including cloudfront, fastly, and expertcity. GoToMeeting also made a few additional connections to ports 80, 8200, and 1853 (label 2).
After a little Internet digging, I discovered expertcity is associated with GoToMeeting and GoToMyPC, a remote access tool (RAT). I wonder if a security analyst watching this network traffic could distinguish between someone running GoToMeeting and someone, perhaps a hacker, remotely accessing a computer insider the enterprise via GoToMyPC?
While the webinar was going, I saw something trigger traceroute on my computer, which made a DNS request, presumably to start a trace of some type (see Figure 2, label 1).
Because my tool captures the full program path, I could tell this was Apple’s built-in traceroute (label 2). I could also see that the program that launched traceroute was GoToMeeting running out of the Applications folder (labels 3 and 4). For whatever reason, GoToMeeting was launching a network tool on my Mac to run some type of analysis.
After the webinar was done, the GoToMeeting application, which was running out of the /Applications folder, seems to have deleted itself. It was gone.
Or was it?
Today I noticed some DNS traffic generated by GoToMeeting software (See Figure 4, labels 1 and 5).
Again, taking advantage of the program’s full path, I could see that the G2MUpdate program was running out of a folder in my home directory (labels 2, 3, and 4). Furthermore, because the program was launched with launchd, I took a look in the various launchd configuration directories, and I found the offending plist file (see figure 4, label 3)
Label 1 shows the path that matches the program I saw running and initiating the DNS query. Label 2 shows that this program will launch every 3,660 seconds - or every 61 minutes.
Furthermore, poking around this directory structure I discovered GoToMeeting currently has 4 versions of their application squirreled away underneath my home directory (see Figure 5).
So thanks GoToMeeting 😠 for hiding some unwanted code on my machine and occasionally waking up to see if it should download new versions of the software.