Malware Spreads through Skype

Monday, January 21, 2013 @ 04:01 PM gHale

There is a new version of the Shylock malware spreading through Skype and is playing off the fact Microsoft is about to kill its Messenger application in favor of Skype.

The new version of Shylock has a number of new capabilities, but its goal is the same: Stealing sensitive financial data from infected machines. Shylock has been around for more than a year and researchers have watched it morph and adapt its tactics in the last few months. The malware, like other Trojan bankers, looks to steal credentials for online banking sites, and also has the ability to perform code-injection attacks.

Dorkbot Worm Goes Global
Secure Message not so Secure
Botnet Back and Thriving
Botnet Hides on Tor Network

One recent change in Shylock malware’s capabilities was the addition of a feature that can detect whether the malware is on a remote machine via the RDP protocol. That method is one malware analysts and researchers use to analyze the behavior of malware.

The newest addition to Shylock’s arsenal is its ability to spread via Skype instant messages. An analysis by researchers at CSIS in Denmark shows the newest version of the malware includes a plug-in named “msg.gsm” that uses the chat function in Skype in order to spread to new machines. The malware relies on a network of infected Web sites to perform drive-by download attacks as the initial infection vector, and once it is resident on a new machine and finds the Skype application, it then sends malicious links to the victim’s contacts through the chat function.

“The Skype replication is implemented with a plug-in called “msg.gsm”. This plug-in allows the code to spread through Skype and adds the following functionality:
• Sending messages and transferring files
• Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
• Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
• Sends request to server: https://a[removed]…,” according to the CSIS analysis.

The newest Shylock malware also includes some other extra features, such as the ability to spread via network shares and USB drives. The attacker behind the malware has the ability to perform a number of functions once he’s on the infected machine, including stealing cookies, injecting malicious code into Web sites and downloading and executing files.

One Response to “Malware Spreads through Skype”

  1. […] Malware Spreads through Skype – The Shylock malware has been updated, and is spreading through Skype. Because Microsoft is taking down Windows Live Messenger, hackers are turning their attentions to Skype, and its code. The intent of the malware is to take financial data from infected systems. It looks to steal credentials for online banking sites, and also has the ability to perform code-injection attacks. Via ISS Source, more here. […]

Leave a Reply

You must be logged in to post a comment.