CSIS first warned of a new variant of the Shylock Trojan using Skype to spread thanks to its creators updating it with a plugin named “msg.gsm.”
Shylock typically spreads via drive-by-downloads, phishing emails, and removable drives attached to infected systems, but the new addition provided another infection method as it gave the Trojan the ability to abuse Skype’s chat feature to send messages containing links to malicious websites serving the malware.
Other functionality granted by msg.gsm includes sending IMs and transferring files, clearing chat and file transfer history, bypassing Skype’s connection warning/restrictions, and sending requests to a remote server.
That’s only a fragment of what Shylock is capable of, though. Shylock can allow attacker to perform a number of activities on an infected system, like inject malicious code into web pages, steal cookies, download and execute files, and more.
Thankfully, Microsoft has stated that they have managed to completely block Shylock (Microsoft detects it as Backdoor:Win32/Capchaw.N) on Skype, but the company still encourages users to avoid opening links from untrusted sources or visiting untrusted websites.
For those of you who may be concerned that you got hit with the threat prior to it being blocked, Microsoft suggests you watch out for the following symptoms:
- The presence of messages or files in your Skype conversation history that you do not recall writing or transferring
- Your Skype conversation history is empty
- You do not receive alerts or warnings from Skype, where previously you did so
Shylock is known for its advanced detection evasion techniques, so do what you can to prevent an infection (tips below).
Upon infection, Phorpiex will modify the system registry to bypass any firewalls and start whenever Windows does, open a backdoor by connecting to a specific IRC chat server and join the channel #go, send emails with malicious attachments containing a copy of itself, spread to accessible removable drives and download additional malware including a plugin appropriately named WORM_PESKY.A (“Pesky”) that will send out Skype messages reading:
Those of you who have read our guide on how to spot a dangerous image link will be able to tell that this link is not what it seems.
Pesky doesn’t do much else beyond spam people with malicious chat messages; Phorpiex is the main threat here.
Protecting Your PC
So, now that you know what you’re up against, what can you do to protect your computer?
- Avoid clicking on suspicious links, regardless of where they come from. Both threats abuse Skype to send IMs, so the malicious link can come from one of your contacts if their machine has been infected.
- Do not download or open files that come from unknown or untrusted sources.
- Keep your operating system and installed third-party software fully patched and up-to-date to minimize the chances of a successful drive-by-download attack.
- Always run antivirus software and keep the virus definitions current.
- Use a Windows user account with limited privileges (i.e. no permission to install software).
What to Do if Your System is Infected
Already have the misfortune of encountering one of these threats?
For Phorpiex, users can use antivirus solutions by TrendMicro, Microsoft, ESET or Ikarus to detect and remove it.