Cybercriminals have once again used a not-so-new but still a seemingly promising medium for their malware campaigns. Earlier today, ZDNet reported a “new” exploit that targets Skype users. This exploit takes advantage of a vulnerability in a Skype component—EasyBits Extras Manager. While the vulnerability was found and fixed as early as October 2009, many users are still running older, vulnerable versions.
The vulnerability is being used to download malicious files, among them a ZBOT variant, TROJ_ZBOT.COC. As is typical of ZBOT variants, it steals a user’s personal information, particularly those related to online banking.
Good thing that Trend Micro already had coverage for these payloads many months before the cyber-criminals actually made use of this Skype vulnerability described above as a means to deploy these malicious codes!!
Over the years, Skype has been targeted and used as an infection vector by several malware families, including STRAT, KOOBFACE, and, more recently, PALEVO, due to its growing user base.
Skype currently hosts more than 500 million registered users and is still adding 300,000 users per day. Skype CEO John Silverman aims to have about 100 million PCs shipped preloaded with the popular VoIP software in 2011. This January, TeleGeography reported that Skype’s traffic growth has soared over last year while the international phone traffic declined, proving that more and more users are preferring Skype as a medium for international voice communications.
Unfortunately, Skype vulnerabilities have been found and exploited in the past:
- New Skype Vulnerabilities
- Skype Releases Security Bulletin to Address CrossZone Scripting Vulnerability
- SkypeFind Still Flawed!
This attack highlights how important it is to keep applications updated. Nowadays, many popular applications have auto-update capabilities. Users should use these to ensure that all their commonly used applications, particularly those that run whenever their systems start—are updated.
On a similar note, the popularity of Skype is also now being used in spam campaigns. Trend Micro engineers received the following spam message targeting Skype users:
As expected, the link in the message does not go to a legitimate Skype page although this site is currently down.
All threats discussed in this post are already covered by Trend Micro products.
Additional text by Jonathan Leopando, Merianne Polintan and Threat Research Manager Ivan Macalintal. Thanks Ivan for the heads-up!