New Skype Spoof IRCbot Trojan Reveals New ‘Social Engineering’ Tactics
17 October -MessageLabs, the leading provider of messaging security and management services to businesses, has detected and blocked more than 800 copies of a new variant of the IRCbot (aka Fanbot) trojan, which now is being distributed via email disguised as the newest release of the popular Skype VoIP (Voice over Internet Protocol) software client, version 1.4, which was first released on October 10th — just a week ago.
When executed, the attached malware program displays a fake “installation error” box while, in fact, it is installing itself as %sysdir%\remote.exe, altering the registry and shutting down shared access and Windows update services. It then tries to connect to either an IRC server named ‘jojogirl.3322.org’ (channel name #Phantom) or smallphantom.meibu.com, but fails.
“This latest spear phishing attack, where Skype users are being targeted by an email that appears to come from Skype, is the first case that we’ve seen that specifically mentions Skype,” said Maksym Schipka, a senior antivirus researcher at MessageLabs. “It is another clear example of how malware writers are quickly exploiting newly identified security holes, as we saw with the Zotob attack, and now, new releases of popular software applications, in order to try and spread their malicious payloads.
Another interesting development is the usage of the mutex ‘___—>>>[E-v-i-l_S-e-c-u-r-i-t-y_T-e-a-m]<<<---___' which links the Chinese creator of the IRCbot trojan with a group of Brazilian/Persian hackers who are known to deface Web sites (their homepage is evil.co.sr, which is a Suriname domain).
Email characteristics
Subject lines:
Hello. We’re Skype and we’ve got something we would like to share with…; Share Skype.; Skype for Windows 1.4; Skype for Windows 1.4 – Have you got the new Skype?; What is Skype?
Body Text:
Dear user,
Skype is a little piece of software that lets you talk over the Internet to anyone, anywhere for free.
And it just got even better — download the latest version of Skype:
Our call quality is the best ever for talking, laughing and sharing stories.
You can forward calls on to mobiles, landlines and other Skype Names.
Make calls instantly from Outlook email or Internet Explorer with our new toolbars.
Personalise your Skype — play around with sounds, ringtones and pictures to show the world who you are.
For further details see the attached document.
This message contains graphics. If you do not see the graphics, click here to view.
(c) 2002-2005 by Skype Technologies S.A.
Legal information
Detection:
MessageLabs detected this malware proactively, using its unique and patented Skeptic(tm) predictive heuristics technology. It has detected over 150 emails of this type since Sunday, October 16th.
For further information, please visit the MessageLabs Web site at http://www.messagelabs.com/intelligence.
To speak with Mr. Schipka or another MessageLabs anti-virus researcher, please contact XYZ.
About MessageLabs
MessageLabs is the world’s leading provider of messaging security and management services with more than 12,000 clients and offices in eight countries. For more information, please visit http://www.messagelabs.com