Skype: A New Avenue for Old Tricks


Published on

In Web Threat Spotlight Issue 64 TrendLabs looks at a recent Skype spam campaign where messages included a URL (masked by a shortened URL) which lead to a new IM worm.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Skype: A New Avenue for Old Tricks

  1. 1. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. ISSUE NO. 64 MAY 24, 2010 Skype: A New Avenue of Old Tricks URL shorteners are just one of the many technologies born in the Web 2.0 era. The kind of service they provide, that is, shortening URLs to a more compact and understandable form, have no doubt made information sharing a breeze for any Internet user. A Wikipedia entry cited a number of reasons why anyone should use this service, most of which are good. URL shortening was, after all, not designed to trick users into falling for malicious schemes but cybercriminals still managed to turn them into tools of their trade. The Threat Defined Shortened URLs in Skype Point to New Worm TrendLabsSM engineers recently got wind of a new Skype spam campaign. The spammed message was reported to have come from the Skype users’ contacts. Each message sported the format “fotooo ha :P {random URL}.” In a spam sample TrendLabs engineers analyzed, one of the random URLs appeared as a TinyURL link from which a worm binary named slika.exe aka WORM_PALEVO.AZA could be downloaded. WORM_PALEVO.AZA is an instant-messaging (IM) worm capable of connecting to remote servers in an attempt to contact its creator in order to receive commands. It can also download other possibly malicious files and terminate the Windows update service, wuauserv. Apart from affecting Skype users, the attack was also found to be capable of affecting Yahoo! Messenger users. Figure 1. Sample Skype spam Recycled Resource Cybercriminals seem to be using Skype as their weapon of choice in order to distribute malware, as prior to this particular attack, the IM-and-VoIP-application-in-one was also used in another pump-and-dump attack just this February, following a list of older Skype-related attacks, including the following:  “New KOOBFACE Variant” Targets Skype  Trojan Targets Skype Users  Voice-Over-Net-AGE Phished! Using URL-shortening services is no longer new, as this April, TrendLabs also recovered binary samples taken from links in messages sent via Yahoo! Messenger and MSN that led to the download of WORM_BUZUS.AG and WORM_KOOBFACE.ZD. User Risks and Exposure An independent monitoring group recently hailed Skype as the most popular IM client compared with Tencent QQ, Windows Live Messenger, and Yahoo! Messenger. With 560 million registered users worldwide, it is thus not surprising that cybercriminals continue to leverage Skype to spread malicious files, not discounting the fact that the number of IM users is expected to steadily increase by 2 million each year from 2010 to 2013. 1 of 2 – WEB THREAT SPOTLIGHT
  2. 2. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. There is no doubt that instant messengers have become part of every Internet user’s life as a means to interact with people all over the world. In fact, Skype and similar applications are no longer limited to personal use. They have transcended to become business tools, too. Figure 2. WORM_PALEVO.AZA infection diagram Just because the instant messages one receives come from people in his/her contact list does not mean he/she should let his/her guard down. Recipients of suspicious instant messages should still refrain from clicking links in messages—regardless of platform (e.g., email, instant message) or source (i.e., known or unknown)—as doing so could lead to system infection. Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect. In this attack, Smart Protection Network protects Trend Micro product users by preventing access to malicious sites whose links appear in spammed instant messages via the email reputation service. File reputation service, on the other hand, detects and prevents the execution of the malicious files—WORM_PALEVO.AZA, WORM_BUZUS.AG, and WORM_KOOBFACE.ZD—on user systems. The following post at the TrendLabs Malware Blog discusses this threat: The virus reports are found here: Other related posts are found here: 2 of 2 – WEB THREAT SPOTLIGHT