Menu
Skype-based malware shows how 'peculiar' malicious code can be

Skype-based malware shows how 'peculiar' malicious code can be

A creative attacker used a modified version of the old Skype SDK and turned it into a remote-access Trojan

Malware often does strange things, but this one -- which looked like Skype installed on a corporate domain controller -- was most "peculiar," says Jim Butterworth, a security expert at ManTech International, whose security subsidiary HBGary recently found the custom-designed remote-access Trojan on a customer's network.

The Skype-looking specimen first seemed to simply be supporting Skype communications traffic, but it was installed in an unusual directory location and configured to operate as a standalone VoIP application. One of the tip-offs that it was malware was the strange network traffic spike occurring during off-peak hours and difficulties that systems administrators had getting to the domain controller. A close look at the Skype specimen in the executables removed from the domain controller showed a creative attacker had used a modified version of the old Skype software development kit (SDK) and turned it into a remote-access Trojan to steal corporate data.

This malicious software had accomplished what some had predicted about eight years ago could be done to exploit Skype when "researchers discovered the ability to use Skype as a remote-control procedure," says Butterworth, executive director of commercial services at ManTech.

+ ALSO ON NETWORK WORLD Microsoft finally rolls out Skype-Outlook integration for all users +

The malware had been designed using a modified version of the old "SkypeKit" SDK which existed before Microsoft acquired Skype, and it appeared to include a backdoor functionality.

The malware was a one-time instance that wasn't found elsewhere in the victim's network, but in this case it was being used to steal corporate data by connecting to a Skype-looking account outside the network to various locations around the world.

In the report it has published about all this, HBGary pointed out, "Normally a SkypeKit client would require a certificate to initiate a session with Skype servers. The backdoor contains such a certificate and it is passed to Skype API calls, but this is only for compatibility with the SkypeKit runtime; the modified version of the runtime does not use it for authentication (as verified during analysis by subverting this step). Once authenticated, it waits for incoming message events and treats them as commands.

"If Skype is normally used on the compromised system, network traffic will show nothing unusual."

Butterworth says all this has been the most "peculiar" malware specimen he's seen so far, and it's a warning of how a publicly-available SDK can be used to create malware that hides in plain sight.

"This attack was not advanced in its development, nor did it contain substantial covert aspects to it," the HBGary report concludes. "The attacker knows, when hiding in plain sight and somehow relating to a commonly recognizable program, they are likely able to remain under the radar. This would still be the case for this incident, had it not been for the out-of-band network activity and the criticality of the machine this was present on."

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Read more about wide area network in Network World's Wide Area Network section.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags HBGaryskypeMicrosoftsecurityanti-malwareWide Area Network

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments