Trojans and viruses

Some of you may have seen stories circulating about a ‘trojan’ (a malicious piece of software) which can listen in to your Skype calls – and I’d like to set the record straight on two points.

• In order for this trojan to ‘listen in’, it has to be run on your computer, which means that your computer is already compromised – e.g. by a virus.
• It doesn’t exploit the Skype software; instead, it ‘listens in’ to the audio data which is transferred between Skype and your computer hardware – your headset and microphone, for example – and it does this using processes which are available in the Microsoft Windows operating system. It’s like standing next to someone when they are talking

So, what should you do? All the usual security recommendations still apply – make sure you don’t open files from people you don’t trust, stay current on patches and updates for your computer and use an up-to-date anti-virus program.

If you’re looking for more details, the security experts at Symantec sum things up pretty nicely over on their blog:

What this threat is doing is actually grabbing the sound coming from the audio devices plugged into the computer. It does this by hooking various Windows API calls that are used in audio input and output. It then is able to intercept all audio data traveling between the Skype process and the underlying audio device. The extracted audio data is then saved to .mp3 files and stored on the computer.

Because the Trojan listens in the data traveling between the Skype process and the audio device, it gathers the audio independently of any application-specific protocols or encryption applied by Skype when it passes voice data at the network level. Essentially, it sits below these security measures, recording the audio at the Windows level—before outbound audio from the microphone gets to Skype and after incoming audio leaves Skype and reaches the speakers.

Finally, the Trojan contains a back door, which enables an attacker to have the stolen audio conversations sent to a predetermined location, where they can later be listened to.

In terms of impact, we don’t see this threat gaining much of a foothold out in the wild. What we’ve seen is largely proof-of-concept and does not contain any method to spread from one computer to another. However, it is possible that we will see variations on this Trojan theme in the future. With this in mind we recommend keeping your virus definition and IPS signatures up-to-date.

We've seen some instances where a chat message masquerading as a link to an image file instead leads to a piece of malware. The chat messages may look similar to this:

If you receive something like this through a Skype chat message, do not be alarmed. Instead, ignore it and block the sender. Do not click on the link or open the file that the link points to.

When executed, however, the Trojan downloader creates a Microsoft Studio Files folder in the Program Files directory, populating it with a copy of itself (lsass.exe) as well as a script file (vcdg.bat) that helps it bypass the Windows firewall. The program also changes the Windows registry to enable automatic execution upon Windows startup and to bypass the Windows firewall. Following these steps, the program downloads files into the infected system.

The Skype security team would like to remind users to keep their antivirus software updated and maintain a skeptical eye toward chat messages that don't seem quite right and contain internet links, whether they appear to come from friends or total strangers.

Some users have received the following message through Skype chat:

- - - - -

www.alertscan.net/?q=update
- - - - -

If you receive something like this through a Skype chat message, do not be alarmed. Instead, ignore it and block the sender. This is chat spam aimed at scaring users into purchasing an alleged antivirus product.

The purported remote virus scan performed by the site behind the URL is also a fake: it is a harmless movie, not a real scan. The "results" of this fake scan are also false.

That said, if you receive a chat message from an unknown user and/or an internet link that you're not sure of, please err on the side of caution and do not click on such links.

It has come to our attention that some Skype for Windows users have been affected by a piece of malware that masquerades as a chat message aimed at finding a lost girl.

Please do not follow any internet links you may receive in chat messages that resemble the following: "Please help me to find this Girl".

Clicking on the link will lead you to download a worm that is currently best described here.

Currently, this piece of malware -- a new strain of the Stration/Warezov worm -- can be detected by the following antivirus software: AntiVir, ArcaVir, AVG Antivirus, BitDefender, F-Secure, Kaspersky, McAfee, Microsoft, Norman Virus Control, Panda Antivirus, Sophos Antivirus, TrendMicro, VBA32.

Some Windows users have been affected by a malware program that imitates Skype software and attempts to steal sensitive information. 65404-SkypeDefenderSetup.exe is classified as an Infostealer, that is, a Trojan horse program that attempts to steal sensitive information such as login credentials.

Continue reading "Skype Defender malware alert" »

You may have read in today's media accounts about a Skype worm being "on the loose" on the Internet. I wanted to bring you up to date on this story and how the problem has been solved.

We learned yesterday (Tuesday, 19 December 2006) that there were reports floating in information security circles that there was a "Skype worm" in the wild. We contacted a number of sources, both in the infosec industry and within eBay, as well as some key security researchers, to learn more about the incident.

Continue reading "Reports of Skype worm" »

We saw [in the news today](http://www.vnunet.com/vnunet/news/2144082/skype-spoof-hides-ircbot-trojan) that there's a Skype-related trojan, reported by [MessageLabs](http://www.messagelabs.com/). We haven't seen it in our own inboxes yet, but it's certainly something to worry about. It was no doubt "inspired" by a newsletter we recently sent to our users who have opted in to receive e-mail, to inform them about the release of [Skype for Windows 1.4](http://www.skype.com/products/skype/windows/). As Skype grows in popularity, so does the chance of having more malicious content that use Skype's name for evil purposes.

Let's reiterate (and if your colleagues and grandma are on Skype, please tell them too):

Skype never sends software updates by e-mail. We do send information about your orders if you bought something from us, and we send newsletters and survey invitations, if you opted in to receive Skype e-mail when you registered your Skype Name, but that's it. So if you receive a software update e-mail from Skype, please delete it, and tell others to do the same.

Skype uses digital signatures to help users ensure that its software releases are valid. You can verify the authenticity of Skype software by confirming that its digital signature is valid. Instructions for checking the digital signature of Skype's software are described in the
[Administrator's Guide to Skype](http://www.skype.com/security/guide-for-network-admins.pdf), which may be downloaded from [skype.com/security/](http://www.skype.com/security/).