Shylock malware which spreads via Skype is not the only threat that users should be worried about. We found another worm that takes advantage of Skype to spread copies of itself.

Reports of Shylock malware found on certain Skype messages was a hot topic last week. We looked into the related samples and based on our analysis, the malware (detected as WORM_BUBLIK.GX) downloads and loads additional plugins that include {C&C}/files/010-update-vl0d3/msg.gsm (detected as WORM_KEPSY.A). Once executed, this malicious plugin has the ability to clear Skype message history.

The other threat we found on Skype, detected as WORM_PHORPIEX.JZ, drops copies of itself in all removable drives. Similar to WORM_BUBLIK.GX, users may encounter this threat as a Skype message with links to the malware. WORM_PHORPIEX.JZ connects to specific Internet Relay Chat (IRC) servers and joins the channel #go. It also downloads and executes other malware onto the system and sends email messages containing an attachment, which is actually a copy of itself.

WORM_PHORPIEX.JZ also downloads the plugin WORM_PESKY.A, which generates the Skype message containing the following details:

We looked into the number of infections for WORM_PHORPIEX using Trend Micro™ Smart Network Protection™ feedback and found out that 83% of infected machines came from Japan.

Read the rest of this entry »

In our 2013 predictions, we noted how malware would only gradually evolve without much in the way of significant change. This can be seen in the use of some (otherwise legitimate) hacking tools in APT attacks.

How is this a problem? Hacking tools are grayware which are not always detected by anti-malware products or at least ethico-legal issues are keeping them from doing so. Unfortunately, this means less visibility in APT forensic investigations. In addition, it also saves attackers the trouble of writing their own tools. Some of the common hacking tools we see are:

• Password recovery tools – tools for extracting passwords or password hashes stored by applications or the operating system in the local drive or in registry entries. These are typically used to clone or impersonate user accounts for obtaining administrator rights. Pass the hash technique is one common method for attackers to gain administrator rights via stolen password hashes.
• User account clone tools – used to clone a user account once password has been obtained by the attacker. Upon acquiring enough privileges, the attacker can then execute malicious intent while bypassing the system’s security measures.
• File manipulation tools – tools for manipulating files such as copying, deleting, modifying timestamps, and searching for specific files. It is used for adjusting timestamps of accessed files or for deleting components to cover tracks of compromise. It can also be used for searching key documents for extraction where the attacker can search for files with specific file extensions.
• Scheduled job tools – software for disabling or creating scheduled tasks. This can help the attacker to lower the security of the infected system by disabling scheduled tasks for software updates. Likewise, it can also be used maliciously. For instance, the attackers can create a scheduled task that will allow them to automatically steal files within a certain timeframe.
• FTP tools – tools that aid in FTP transactions like uploading files to a specific FTP site. Since FTP transactions would look less suspicious in the network, some APT threat actors prefer to upload stolen data to a remote FTP site instead of uploading them to the actual C&C server. It should be noted that there are several legitimate FTP applications, which may also be utilized by cybercriminals.
• Data compression tools – these tools are neither malicious nor considered as hacking tools. In most cases, these are legitimate file compression tools, such as WinRAR, being utilized by attackers to compress and archive multiple stolen files. This aids the attacker in the data exfiltration phase where they can upload stolen documents as a single archive. In a few cases, however, we have seen these applications being packaged and configured to compress a predefined set of files.

Read the rest of this entry »