Skype Malware Campaign Grows – quotes Security Week Shylock family of malware made headlines for its ability to spread via Skype. Shylock is a banking Trojan, targeting financial data and accounts. While Shylock has been mostly targeting users in the UK and EU, additional malware variants have been observed in the United States.
On Monday, researchers at Trend Micro discovered two additional types of malware targeting Skype users. The first, a worm that has the ability to clear message history is being given the name Bublik. However, code examinations show that the worm downloads additional modules, which have rootkit abilities allowing remote command and control of the infected host.
The second type of malware discovered is being called Phorpiex, which will clone itself to all removable drives once a victim accesses a link to it via Skype. Normally Phorpiex is spread via email, so Skype represents a new attack channel.
“These strings of threats aimed at Skype pose serious risks, not just for ordinary users, but also for small businesses benefiting from the platform,” a blog post from Trend explains.
“Microsoft is reportedly closing down Windows Messenger on March 15, 2013 and recommends switching to Skype. As such, this poses risks especially to first-time Skype users and with DORKBOT and now, Shylock variants spreading via Skype, users and businesses alike should have a more security-conscious mindset when it comes to using Skype.”
The malware’s new Skype functionality appears to have been added earlier this week, according to security researchers from Danish IT security firm CSIS Security Group. The new plug-in allows the malware to send rogue messages and files using the Skype VoIP and instant messaging client installed on the infected device, Peter Kruse, CSIS partner and security specialist, wrote on the company blog. The malware is also able to bypass Skype warnings messages and delete traces of its activity from Skype history, Kruse wrote.
Previously, Shylock used MSN Messenger, Yahoo Messenger and other real-time chat programs to spread. Infected users were inadvertently sending the malware to their contacts via instant message. Users were tricked into clicking on a link in the message which directed them to a site hosting the malware.
Shylock’s creators may have decided to add Skype to its list of distribution methods because Microsoft announced plans to retire Messenger in March and move all the users to start using Skype, Kruse said. “Shylock is one of the most advanced Trojan-banker [malware] currently being used in attacks against home banking systems,” Kruse said. “The code is constantly being updated and new features are added regularly.”
Along with stealing login credentials for online banking services, Shylock has a number of other capabilities. Cyber-criminals have access to the cookies stored on the infected computer and the malware installs VNC remote control software to give the controls the ability to take over the machine. Shylock can also manipulate websites within the browser by injecting text and transferring files to a remote server.
SecurityWeek has reported on previous updates to Shylock, such as the new feature which can detect whether the malware is being installed on a machine using the remote desktop protocol.
CSIS believes the bulk of victims are from the United Kingdom, although there were many infected computers throughout mainland Europe and the United States.
“Shylock is active in only a few parts of the world,” said Kruse via @security week
The banking Trojan known as Shylock has been updated with new functionality, including the ability to spread over Skype. The program was discovered in 2011 that steals online banking credentials and other financial information from infected computers. Shylock, named after a character from Shakespeare’s “The Merchant of Venice” stated : Mohit Kumar
- Hacking News quoted: “Shylock is one of the most advanced Trojans” currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly
- Pierluigi Paganinin states the malware spread’s via Skype ” The news is very concerning, a new variant of the banking malware known as Shylock has been detected, it includes the capability to spread over Skype.” “Shylock is an old acquaintance for security community, the malware was detected for first time in 2011 by experts from Trustee firm, it is used to steal banking credentials from its victims and is considered one of the most insidious cyber threat for banking. The first version of the malware demonstrated improved methodology for injecting code into browser to remote control the victim and an improved evasion technique to prevent detection by common antivirus software.
- With Skype expanding its reach with services designed for small businesses, and other messaging platforms such as Microsoft Windows Messenger shutting down, Skype is becoming an attractive target for malware states Threat Post.
- Security researchers are warning PC users to beware of two new malware attacks. Hackers have released a fake Java patch that is really part of a ransomware campaign, and the banking Trojan known as Shylock is now spreading via Skype.
“Beware any Java security update that you don’t download directly from Oracle’s website,” wrote InformationWeek’s Mathew J. Schwartz. “That warning comes via antivirus firm Trend Micro, which has spotted a new ransomware campaign using malware that’s packaged to resemble Java 7 update 11. The real update was released by Oracle as an emergency fix for two zero-day vulnerabilities in Java — including CVE-2012-3174 — that are being actively exploited by attackers.”
Computerworld’s Jeremy Kirk noted, “Hackers often disguise their malware as a legitimate software update in the hope of confusing IT staff. Interestingly in this case, the fake update doesn’t actually exploit the vulnerabilities that Oracle patched on Sunday, [Trend Micro’s Paul] Pajares wrote. The user is tricked into downloading a different piece of malware.”
ITWorld’s Lucian Constantin reported, “The Shylock home banking malware has been updated with new functionality that allows it to spread automatically using the popular Skype Voice-over-IP (VoIP) and instant messaging client. Shylock, named after a character from Shakespeare’s The Merchant of Venice, is a Trojan program discovered in 2011 that steals online banking credentials and other financial information from infected computers.”
InfoSecurity quoted CSIS researcher Peter Kruse, who wrote, “When analyzed, during an investigation, we noticed that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype. This allows the malicious Trojan-banker to infect more hosts and continue to be a prevalent threat. Also, the timing does not seem completely coincidental as Microsoft just recently announced that they are discontinuing their Messenger solution and replacing it with Skype.”
Hacking News quoted: “Shylock is one of the most advanced Trojans currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly