Skype Spyware Discovered
January 05, 2007
A worm targeting users of the popular VoIP telephone application Skype was
recently discovered in the APAC region, specifically Korea. According to
Websense, the worm uses Skype Chat to download and execute a file named
sp.exe. The file appears to drop a password-stealing Trojan with the worm
packed using NTKrnl Secure Suite, a rare, but not unknown, compression.
"The (sort of) good news is that no widespread outbreak has been reported
yet," said Paul Oliveria of Trend Micro. "That doesn't mean that Skype users
should just go ahead and click the links they receive while chatting,
though."
Since the spyware does not appear to exploit any flaws in Skype, user
intervention is required to send the link to an affected Skype user's
available contacts. An affected user is notified that a program is
attempting access and must acknowledge it. Therefore, users should not allow
suspicious programs to access Skype and should also avoid clicking on links
coming from unexpected sources.
Trend Micro currently detects the password-stealing component as TSPY_SKPE,
which is not the first malware/spyware to use Skype: last October
WORM_SKYPERISE.A
was detected.
"The difference is that this spyware already employs a more malicious
routine (information theft), compared to the October worm that only spreads
copies of itself to other users," said Oliveria.
Despite the fact that this worm's propagation technique is common, VoIP is
obviously becoming a good prospect as a new malware vector into which
malicious authors can sink their teeth. Additionally, the password-stealing
routine, polymorphic compression to avoid easy detection, and a specific
country of origin indicate that this is a localized/targeted attack geared
for profit.
Trend Micro already detects this spyware using the latest pattern file.
Based on the manual removal instructions, affected users can simply delete
the detected file and remove the registry entry it creates.
The Trojan spyware is hosted by a malicious Web site. A link to the site is
sent to Skype contacts via the Chat feature, urging users to click on it. It
may use a form of social engineering by posing as a "cool program". As of
this writing the site is already unavailable.
Initial analysis of the sample received by the Service Team reveals that
this spyware is a typical keylogger; logging user keystrokes and saving the
gathered data in a text file. This routine may grant malicious users, which
may include remote hackers, unauthorized access to an affected user's Skype
account, possibly online banking accounts, and more.
Because the Service Team has received only two submissions so far, Trend
Micro believes this is an isolated incident.
"According to our AV Engineers, the few case submissions are partly because
our products real-time scanning feature already detects and removes this
spyware," said Oliveria. "Whether this is also an indication that Skype
users are smart enough to NOT click the suspicious link, or that malware
authors are simply testing the waters, I'm not sure.
It is likely that we will see additional VoIP threats in the future. After
all, Vishing (phishing over VoIP) is already making rounds over the
Internet. And Wikipedia includes an entry
(http://en.wikipedia.org/wiki/VoIP_spam) for "an as-yet-nonexistent problem"
of VoIP spam, called SPIT (Spam over Internet Telephony). Expect similar, if
not more sophisticated, VoIP threats to come along.
http://newsletters.trendmicro.com/servlet/cc5?lgLQSCTTQUVJplpFLgxiHgHMhgLlQnjVaVW
