Skype malware spreading quickly: Trend Micro Report
New Delhi, India, 23rd October 2012: A recent Trend Micro Report on ‘Skype Messages Spreading DORKBOT Variants’ has set the alarm bells ringing in the digital world. A type of malware called Dorkbot is duping Skype users into clicking on a link, which directs them to download a file which includes the malware. The worm asks users of the video-calling service, “lol is this your new profile pic?” in both English and German.
Once users click on the link, infected computers steal log-in and password information and use it to access various websites. The malware also further spreads itself by contacting the Skype user’s contacts with the same “profile pic” message Trend Micro product users are actively protected from DORKBOT malware used in these attacks.
As Rik Ferguson had reported earlier, users are facing more waves of Skype spammed messages. These attacks are being used to distribute various threats, including ransomware and infostealers. The attacks that arrive in the form of Skype messages ask if the user has a new profile picture.
The link (which includes the user name of the recipient) goes to a file hosted at a legitimate file locker service. The file downloaded is a variant of the DORKBOT malware family, which is detected as WORM_DORKBOT.DN.
This malware allows an attacker to take complete control of the user’s system. Its capabilities include password theft form various websites (including pornographic sites, social media, file lockers, and financial services), and launching distributed denial-of-service (DDOS) attacks. The behavior that a user may see can vary significantly. It also has the capability to download other malware depending on the link provided by the C&C servers, including ransomware and click fraud malware.
To spread via Skype, it downloads a separate component (detected as WORM_DORKBOT.IF). This component sends the same message to people in the user’s contact list, restarting the cycle all over again. WORM_DORKBOT.IF checks the system locale and sends the message, lol is this your new profile pic in a language depending on the user’s geolocation.
As Countermeasures Blog reported, Trend Micro has detected and blocked over 2,800 associated files in a span of 24 hours.
We’re currently monitoring this threat. We’ll update this blog entry with more details as they become available. The number of blocked and detected files associated with this attack has increased. From 2,800 files recorded on October 9, the total number of blocked and detected files is now at 6,800. Trend Micro product users are actively protected from DORKBOT malware used in these attacks.