Malware Writers Exploit Skype Hype

Skype's popularity rose to a whole new level when eBay (Nasdaq: EBAY) purchased the VoIP provider last month. Now, the free Internet telephony service has become the victim of a spoof campaign designed to infect users with an IRCbot Trojan.

Messaging security and management services provider MessageLabs yesterday said it has detected and blocked more than 800 copies of a new variant of the IRCbot (a.k.a. Fanbot) Trojan, which is now being distributed via e-mail disguised as Skype version 1.4, which was released a week ago.

"This latest spear phishing attack, where Skype users are being targeted by an e-mail that appears to come from Skype, is the first case that we've seen that specifically mentions Skype," said Maksym Schipka, a senior antivirus researcher at MessageLabs.

Schipka said this is another clear example of how malware writers are quickly exploiting newly identified security holes, as we saw with the Zotob attack, and now, new releases of popular software applications, in order to try and spread their malicious payloads.

IRCbot in Action

The Trojan typically arrives in an e-mail with a subject line that reads: "Hello. We're Skype and we've got something we would like to share with...; Share Skype.; Skype for Windows 1.4; Skype for Windows 1.4 - Have you got the new Skype?; What is Skype?"

The body text of the bogus e-mail explains that Skype is a free service that allows its subscribers to talk over the Internet for free and touts its high quality in true Skype marketing style. The fake e-mail even mentions Skype's new personalized features, like ringtones. Finally, the e-mail invites recipients to download an attached document for further details.

When executed, MessageLabs said the attached malware program displays a fake "installation error" box while, in fact, it is installing itself as %sysdir%\remote.exe, altering the registry and shutting down shared access and Windows update services.

It then tries to connect to either an IRC server named, 'jojogirl.3322.org' (channel name #Phantom) or smallphantom.meibu.com, but fails.

Social Engineering 101

Ken Dunham, the director of malicious code research at iDefense, a Reston, Va.-based threat intelligence firm, told TechNewsWorld that in fact, Skype has been the focus of his research recently because of its growing popularity. He is not surprised that the brand would be targeted as a vehicle for Trojans.

"Ultimately, from a social engineering perspective we've always known that it's a Trojan's world. Peer-to-peer type applications are not going to see a huge amount of worms," Dunham said. "That's where you will see executables infected with some kind of Trojan, spyware, or something else you didn't realize was part of the application."

Dunham said we can expect more of this type of attack through known brands, free pornography offers, or other tempting e-mails that play on the recipient's likes or needs. Much like junk snail mail, these too-good-to-be-true offers are typically just that -- too good to be true.

The E-Trump Card

Dunham said when it comes to getting hooks in naive or unsuspecting customers, e-mail trumps traditional junk mail by far because of its widespread distribution and the available assets that are tied to a person's identity. What's more, he said personal information is exploitable at a much higher level online.

"It's easier to commit fraud through e-mail than traditional junk mail because e-mail is anonymous. It's more difficult for people to see what's real and not real," Dunham said. "E-mail fraud is actually a very low cost and low risk for hackers."