Thursday, May 23, 2013

Another Skype worm


Remember this post from not too long ago?
Worm spreading through Skype and Messenger

Well, seems this tactic is getting more popular...

A new Skype worm shows you the following message:

this is a very nice photo of you http://bit.ly/10UCanc?fotos=%username% :$
this is a very nice photo of you http://bit.ly/10UCanc?id=%username% :P
Other languages are possible as well, for example Russian:
это очень хорошая фотография вы http://bit.ly/10UCanc?fotos=%username%


When clicking on the link, it gets redirected to a filesharing site and downloads the following file:
facebook_profile.zip

Inside is an EXE file called:
profile-facebook_23052013_img.exe
MD5: 669441b1f5532bdc1a5371112dabc4c8
VirusTotal Result (15/46)
Anubis Result
Malwr Result

When executing the file, you start spreading this message as well to all your Skype friends. There is no icon for the EXE file, which should ring some bells... Actually, the "pictures" being a single EXE file should ring bells so hard the whole neighbourhood wakes up.


Filesharing sites used to spread the malware:
4shared.com
hotfile.com


These filesharing sites have already removed all the malicious files and cannot be downloaded anymore.
Malware files already removed, awesome!





Some interesting stats for the bit.ly link:

Current amount of clicks








Geographic distribution of clicks.





As you can see, there have been over 120,000 clicks today, that's quite a lot!  Also interesting to note is that most clicks are in Belarus, which may indicate where the malware's origin lies (or at least where the infection point started).

As far as I could see, the malware creates a file with a random name in the C:\Programdata or %appdata% folder, injects into explorer.exe and thus is able to 'protect' itself:
When deleting said malware file, it will immediately re-create.

The malware also tries to phone home to (currently offline):
hXXp://r.gigaionjumbie.biz/images/gx.php
hXXp://x.dailyradio.su/images/gx.php
hXXp://w.kei.su/images/gx.php


The above links are related with the Alureon malware, which can download other malware as well as steal your credentials and other personal information. Microsoft:
Win32/Alureon is a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. It may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer. Source.


There are also some peculiar strings in the malware:
lTaj13zzz5632jetsusjabs 
Regrey8hiaid958562ids  
Culmbusy4teg217jo548 
Sel35scagalawn9ser84996  
Hinog968begs6421879  
Cyme28ilkax65274sunn35  
Toph8toil2528248030  
Pent8cute812  
hoorney milk  
DESTRUCT COMMON 

Not sure what those strings are supposed to mean, if there's any meaning to it at all.
To view all strings pulled from the malware image, check Pastebin:
http://pastebin.com/Svb40p9Q



Desinfection


  • Perform a full scan with your installed antivirus ànd a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this worm.
  • Change your Skype password.
  • Notify your friends that you had sent them a malware link.



Conclusion

This conclusion is pretty much the same as in my previous post about a Skype worm:


Worms spreading through Facebook, Twitter as well as IRC, MSN and Skype is nothing new. Still, it appears to be very successful as human curiosity wins in cases of doubt:
"Do I really have (embarassing) pictures of myself on this website? Better take a look!"

No, no, no!

Never click on unknown links, especially when a URL shortener service like bit.ly is used. (others are for example t.co, goog.gl, tinyurl, etc.)
Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.

Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and no pictures are shown, but just an EXE file.

For checking what is really behind a short URL, you can use:
http://getlinkinfo.com/
http://longurl.org/

For checking whether a file is malicious or not:
https://www.virustotal.com/


8 comments:

  1. Hey superb website!

    ReplyDelete
  2. The virus is crypted so there are weird codes

    ReplyDelete
  3. There is a new Skype worm that is going around that I've seen. As of December 16th, 2013 I have spotted a worm which appears as a FILE TRANSFER. I don't know how it infects you, but I didn't click any links. My "friend" must have been infected, because when I awoke my computer from sleep mode while I had Skype connected, explorer.exe crashed just after I noticed a Skype notification popup. This required me clicking NOTHING at all. It was simply a notification popup without any click which crashed explorer, now my Skype runs at around 25 processor usage and much higher amount of RAM use. BE CAREFUL GUYS, FUCK SKYPE!!

    ReplyDelete
    Replies
    1. Interesting, I had not heard about this yet. Do you have a screenshot by any chance? Have you heard about or witnessed the same behaviour from other Skype friends?

      Delete
  4. Not sure about Windows as I don't have a Windows box with Skype to test on (yet) but perhaps they have the option to open transferred files upon successful transfer ?

    I know this is an option under OS X. Perhaps that would explain the infection vector. I'll see if I can make some time to tinker this evening.

    ReplyDelete
    Replies
    1. Good thinking Matt. I checked here but I did not see that option. Where would it be under OS X? (it's possible I missed it though)

      Delete
  5. Goede blog - site. Complimenten.
    WOT - Dutch Mountain / https://www.mywot.com/en/user/1309084
    Peter
    www.peterswebsafety.com

    ReplyDelete