The Latest in IT Security

Shylock Not the Lone Threat Targeting Skype

22
Jan
2013

Shylock malware which spreads via Skype is not the only threat that users should be worried about. We found another worm that takes advantage of Skype to spread copies of itself.

Reports of Shylock malware found on certain Skype messages was a hot topic last week. We looked into the related samples and based on our analysis, the malware (detected as WORM_BUBLIK.GX) downloads and loads additional plugins that include {C&C}/files/010-update-vl0d3/msg.gsm (detected as WORM_KEPSY.A). Once executed, this malicious plugin has the ability to clear Skype message history.

The other threat we found on Skype, detected as WORM_PHORPIEX.JZ, drops copies of itself in all removable drives. Similar to WORM_BUBLIK.GX, users may encounter this threat as a Skype message with links to the malware. WORM_PHORPIEX.JZ connects to specific Internet Relay Chat (IRC) servers and joins the channel #go. It also downloads and executes other malware onto the system and sends email messages containing an attachment, which is actually a copy of itself.

WORM_PHORPIEX.JZ also downloads the plugin WORM_PESKY.A, which generates the Skype message containing the following details:

WORM_PESKY-A

We looked into the number of infections for WORM_PHORPIEX using Trend MicroT Smart Network ProtectionT feedback and found out that 83% of infected machines came from Japan.

worm_phorpiexjz_infectionbycountry

Skype is no stranger to web threats

Skype, unfortunately, is no stranger to worms. Last year, we blogged about certain messages containing links leading to DORKBOT variant. The malware (detected as WORM_DORKBOT.DN) allows a remote user to take control over the infected system, steal information, and may initiate distributed denial-of-service (DDoS) attacks. It can also download other malware onto the system, including click-fraud malware and the notorious ransomware.

These strings of threats aimed at Skype pose serious risks, not just for ordinary users, but also for small businesses benefiting from the platform. Last year, Skype announced its Skype in the Workspace (SITW), a site that caters particularly to small-scale businesses. Around 500 small businesses have already started using SITW since the site’s beta testing.  Furthermore, Microsoft is reportedly closing down Windows Messenger  on March 15, 2013 and recommends switching to Skype. As such, this poses risks especially to first-time Skype users and with DORKBOT and now, Shylock variants spreading via Skype, users and businesses alike should have a more security-conscious mindset when it comes to using Skype.

To stay safe, users must refrain from clicking links found in instant messages, specially those from unknown or unverified sources. Trend Micro protects users from this threat via Smart Protection NetworkT, which detects related malware if detected on a system.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments