With Skype expanding its reach with services designed for small businesses, and other messaging platforms such as Microsoft Windows Messenger shutting down, Skype is becoming an attractive target for malware writers.
Reports surfaced last week of the Shylock financial malware spreading on Skype and yesterday, researchers reported the discovery of more malware propagating on Skype.
Researchers found two worms, Bublik and Phorpiex, spreading mostly in Japan. Bublik is a backdoor with rootkit functionality. It opens a communication channel with a command and control server and downloads additional plug-ins. In this case, Trend Micro discovered the Kepsy worm, which helps Bublik spread over Skype and also clears Skype message history.
Bublik can enable remote access for an attacker, download and upload files to a C&C server, download additional plug-ins and monitor browser activity. It also gathers and reports application data, system and network information, hardware specs and running processes.
The Phorpiex worm, meanwhile, targets removable drives and spreads via Skype messages with links to sites hosting the worm. Trend Micro said Phorpiex connects to an IRC server and joins a particular IRC channel in order to execute commands from the attacker. It also downloads other malware onto the compromised system and sends itself out in email attachments. The worm will delete itself after it executes.
The worm adds particular registry entries to ensure it automatically executes at start-up; another entry enables it to bypass Windows Firewall detection.
It also downloads the Pesky worm; its lone purpose appears to be propagation. The worm sends a message over Skype when users chat that includes a link to the malware. Trend Micro said the worm does not have any information-stealing capabilities, or rootkit functionality.
With the availability of the Skype in the Workplace beta, a SMB-focused version of the platform, and Microsoft recommending Windows Messenger users move to Skype on March 15 when its platform disappears, these threats are likely to continue, researchers cautioned.
Users already are seeing a rash of threats moving on Skype. Shylock, dangerous banking malware that steals online banking credentials, is moving on Skype in Europe and the U.S. and is also banking on the downfall of Windows Messenger to snare victicms. Shylock initially spreads via drive-by downloads from compromised websites. Once it finds Skype on a victim machine, it sends links over chat to the contact list. A malicious plug-in enables the malware to send messages and transfer files, wipe out messaging history, bypass Skype warnings, and send requests to a third-party website, said CSIS in Denmark.
A Microsoft spokesman said in a statement that the company is actively blocking the Shylock malware used in this attack.
“We are currently helping protect customers by blocking the known malware documented as Backdoor:Win32/Capchaw.N, also known as Shylock. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites,” the company said.
Shylock, like most financial malware, is evolving its capabilities. Researchers from security company Trusteer reported in November that Shylock can also detect whether it’s being executed on a computer over remote desktop protocol (RDP). If it does detect the presence of RDP, which would normally indicate the malware is being scanned by a security researcher studying samples, Shylock will not install.
Shylock’s authors have always focused on adding capabilities to avoid detection. From the start, it has been able to delete files or registry keys it generates it uses for persistence if it senses human interaction. The malware will then restore those files and keys by hooking into the Windows shutdown routine so that it will execute again upon startup.