As reported earlier by Rik Ferguson, users are facing more waves of Skype spammed messages. These attacks are being used to distribute various threats, including ransomware and infostealers.
These attacks, which arrive as Skype messages, ask if the user has a new profile picture:
The link (which includes the user name of the recipient) goes to a file hosted at a legitimate file locker service. The file downloaded is a variant of the DORKBOT malware family, which is detected as WORM_DORKBOT.DN. This malware allows an attacker to take complete control of the user’s system. Its capabilities include password theft form various websites (including pornographic sites, social media, file lockers, and financial services), and launching distributed denial-of-service (DDOS) attacks. The behavior that a user may see can vary significantly. It also has the capability to download other malware depending on the link provided by the C&C servers, including ransomware and click fraud malware.
To spread via Skype, it downloads a separate component (detected as WORM_DORKBOT.IF). This component sends the same message to people in the user’s contact list, restarting the cycle all over again. WORM_DORKBOT.IF checks the system locale and sends the message, lol is this your new profile pic in a language depending on the user’s geolocation.
As Countermeasures Blog reported, Trend Micro has detected and blocked over 2,800 associated files in a span of 24 hours.
We’re currently monitoring this threat. We’ll update this blog entry with more details as they become available.
Update as of October 10, 2012 3:47 am PDT
The number of blocked and detected files associated with this attack has increased. From 2,800 files recorded on October 9, the total number of blocked and detected files is now at 6,800. Trend Micro product users are actively protected from DORKBOT malware used in these attacks.
Update as of October 12, 2012 7:25 am PDT
Based on feedback from the Smart Protection Network, we have seen 13,221 total infections.