Malware Abuses Skype Chat to Spread Once More

SkypeSkype users should exercise caution when clicking links shared via chat as there has been an influx in malware using Skype in order to propagate.

Shylock Trojan

CSIS first warned of a new variant of the Shylock Trojan using Skype to spread thanks to its creators updating it with a plugin named “msg.gsm.”

Shylock typically spreads via drive-by-downloads, phishing emails, and removable drives attached to infected systems, but the new addition provided another infection method as it gave the Trojan the ability to abuse Skype’s chat feature to send messages containing links to malicious websites serving the malware.

Other functionality granted by msg.gsm includes sending IMs and transferring files, clearing chat and file transfer history, bypassing Skype’s connection warning/restrictions, and sending requests to a remote server.

That’s only a fragment of what Shylock is capable of, though. Shylock can allow attacker to perform a number of activities on an infected system, like inject malicious code into web pages, steal cookies, download and execute files, and more.

Thankfully, Microsoft has stated that they have managed to completely block Shylock (Microsoft detects it as Backdoor:Win32/Capchaw.N) on Skype, but the company still encourages users to avoid opening links from untrusted sources or visiting untrusted websites.

For those of you who may be concerned that you got hit with the threat prior to it being blocked, Microsoft suggests you watch out for the following symptoms:

  • The presence of messages or files in your Skype conversation history that you do not recall writing or transferring
  • Your Skype conversation history is empty
  • You do not receive alerts or warnings from Skype, where previously you did so

Shylock is known for its advanced detection evasion techniques, so do what you can to prevent an infection (tips below).

Phorpiex Worm

Even if you do manage to avoid Shylock, you still have to worry about WORM_PHORPIEX.JZ, which TrendMicro says is also abusing Skype chat to spread.

Upon infection, Phorpiex will modify the system registry to bypass any firewalls and start whenever Windows does, open a backdoor by connecting to a specific IRC chat server and join the channel #go, send emails with malicious attachments containing a copy of itself, spread to accessible removable drives and download additional malware including a plugin appropriately named WORM_PESKY.A (“Pesky”) that will send out Skype messages reading:

LOL http://www.[REMOVED]x.uk.com/images/php?id=IMG0540250.JPG

Those of you who have read our guide on how to spot a dangerous image link will be able to tell that this link is not what it seems.

Pesky doesn’t do much else beyond spam people with malicious chat messages; Phorpiex is the main threat here.

Protecting Your PC

So, now that you know what you’re up against, what can you do to protect your computer?

  • Avoid clicking on suspicious links, regardless of where they come from. Both threats abuse Skype to send IMs, so the malicious link can come from one of your contacts if their machine has been infected.
  • Do not download or open files that come from unknown or untrusted sources.
  • Keep your operating system and installed third-party software fully patched and up-to-date to minimize the chances of a successful drive-by-download attack.
  • Always run antivirus software and keep the virus definitions current.
  • Use a Windows user account with limited privileges (i.e. no permission to install software).

What to Do if Your System is Infected

Already have the misfortune of encountering one of these threats?

For Shylock, Microsoft’s Threat Center states you can use Microsoft Security Essentials (or Windows Defender for Windows 8) to detected and remove it.

For Phorpiex, users can use antivirus solutions by TrendMicro, Microsoft, ESET or Ikarus to detect and remove it.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

This entry was posted in Computer Security, internet scam, malware, phishing, spam and tagged , , , , .
Follow any comments here with the RSS feed for this post. Trackbacks are closed, but you can post a comment.

© 2014 Hyphenet, Inc.
1761 Hotel Circle S, Suite 350, San Diego, CA 92108

All rights reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited.

Hyphenet IT Security Blog located at 1761 Hotel Circle South, Suite 350 , San Diego, CA . Reviewed by 91 customers rated: 3.8 / 5