Skype IM ramsomware worm spreading quickly

A malicious worm is taking advantage of the Skype API to spam out messages similar to this one: “LOL is this your new profile pic? http://goo.gl/[REDACTED]?img=[USERNAME]”

Users click, and, “before you know it, your computer has been recruited into a botnet and could fall victim to a ransomware attack,” said Sophos researcher Graham Cluley, in the Naked Security blog. The ransomware variant locks the user out of their machine, informing them that their files have been encrypted and that they will be subsequently deleted unless the unfortunate victim surrenders a $200 fine within 48 hours.

Otherwise, these Dorkbot variants will steal user name and password credentials for a vast array of websites, including Facebook, Twitter, Google, PayPal, NetFlix and many others.

Also, “they can interfere in DNS resolution, insert iFrames into web pages, perform three different kinds of DDoS attack, act as a Proxy server and download and install further malware at the botmaster’s initiation,” said Rik Ferguson at Trend Micro, who noted that the worm is spreading “fast.” In the 24 hours since its discovery, Trend Micro blocked more than 2,800 associated files.

According to Cluley, the links are designed to infect Windows computers via a download of a ZIP file with a trojan application that opens a backdoor and allows a remote hacker to take control of infected PCs, communicating with a remote server via HTTP.

The executable files in the ZIP file, (variously called skype_06102012_image.zip or skype_08102012_image.zip) are named Troj/Agent-YCW or Troj/Agent-YDC, Cluley said. On execution, the malware copies itself to %PROFILE%\Application Data\Jqfsfb.exe and sets an autostart entry.

While “there have been many variants of the Dorkbot attack spotted over the least year or so, spreading via Facebook and Twitter,” said Cluley,” the threat can also spread via USB sticks, and various instant messaging protocols.” And the danger is, of course, that Skype users may be less in the habit of being suspicious about links sent to them than, say, Facebook users – even if those messages are unsolicited and out-of-character.

“You don't know that it was a friend who sent you the message, all you know is that it was their account which posted it to you... and who knows if it was compromised or not?” cautioned Cluley.

"Skype takes the user experience very seriously, particularly when it comes to security,” the company told Sophos. “We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable."

What’s Hot on Infosecurity Magazine?