Malware hits Skype users in India

The Voice-over Internet Protocol (VoIP) service, Skype has been affected by spam in India, and users in the country are being asked to exercise caution. The government has issued an advisory informing Skype users of the malicious spam campaign. 


"A malicious spam campaign is on the rise targeting Skype users by sending instant message which appears to come from friends in the Skype contact list," the advisory reads. The Computer Emergency Response Team (CERT-In) under the Communications and Information Technology ministry shared that the malware was adept at gaining control of the victim's machine by opening a backdoor and communicating to a remote http server. 

Skype goes 3G

Users should exercise caution



Cyber security experts have unearthed that the malware-ridden content has been found "lurking in the vicinity of cyber networks of Indian users who use this popular Voice-over Internet Protocol (VoIP) service". The malware has been reported to steal user details, fuelling click fraud activity, while also posing as ransomware. 


As a measure of caution, the advisory has asked Skype users in the country to "not follow unsolicited web links or attachments in Skype messages and install latest security updates to Skype". The advisory adds that users should download the latest version of Skype from trusted sources. To secure themselves further, users should install and maintain updated anti-virus software on gateways and desktops. The advisory stresses on the need to maintain caution when opening attachments, accepting file transfers, clicking links to web pages. Disabling the auto play feature altogether is a safe practice. Users should be careful to ward off social engineering attacks.


Earlier this month, users had started facing problems with ransomware on Skype through a seemingly harmless looking message, "lol is this your new profile pic?" The message was followed by a link that downloads malware into user's computers. According to Trend Micro, these reports have not stopped yet and are now spreading fast.


The link, which includes the user name of the recipient, goes to a file hosted at a legitimate file locker service. The file downloaded is a variant of the Dorkbot malware family, which is detected as WORM_DORKBOT.DN. This malware allows an attacker to take complete control of the user’s system. Its capabilities include password theft form various websites, including pornographic sites, social media, file lockers, and financial services; and launching distributed denial-of-service (DDOS) attacks. The behaviour that a user may see can vary significantly. It also has the capability to download other malware depending on the link provided by the C and C servers, including ransomware and click fraud malware.


To spread via Skype, it downloads a separate component detected as WORM_DORKBOT.IF. This component sends the same message to people in the user’s contact list, restarting the cycle all over again. WORM_DORKBOT.IF checks the system locale and sends the message "lol is this your new profile pic?" in a language that depends on the user’s geolocation.


As Countermeasures Blog reported, Trend Micro has detected and blocked over 2,800 associated files in a span of 24 hours.


The security company is currently monitoring this threat, and will update its blog with more details as they become available. The number of blocked and detected files associated with this attack has increased. From 2,800 files recorded on October 9, the total number of blocked and detected files is now at 6,800. Trend Micro product users are actively protected from Dorkbot malware used in these attacks.


News Sources

Published Date: Oct 30, 2012 06:21 pm | Updated Date: Oct 30, 2012 06:21 pm