Menu
Skype-based malware shows how 'peculiar' malicious code can be

Skype-based malware shows how 'peculiar' malicious code can be

A creative attacker used a modified version of the old Skype SDK and turned it into a remote-access Trojan

Malware often does strange things, but this one -- which looked like Skype installed on a corporate domain controller -- was most "peculiar," says Jim Butterworth, a security expert at ManTech International, whose security subsidiary HBGary recently found the custom-designed remote-access Trojan on a customer's network.

The Skype-looking specimen first seemed to simply be supporting Skype communications traffic, but it was installed in an unusual directory location and configured to operate as a standalone VoIP application. One of the tip-offs that it was malware was the strange network traffic spike occurring during off-peak hours and difficulties that systems administrators had getting to the domain controller. A close look at the Skype specimen in the executables removed from the domain controller showed a creative attacker had used a modified version of the old Skype software development kit (SDK) and turned it into a remote-access Trojan to steal corporate data.

This malicious software had accomplished what some had predicted about eight years ago could be done to exploit Skype when "researchers discovered the ability to use Skype as a remote-control procedure," says Butterworth, executive director of commercial services at ManTech.

+ ALSO ON NETWORK WORLD Microsoft finally rolls out Skype-Outlook integration for all users +

The malware had been designed using a modified version of the old "SkypeKit" SDK which existed before Microsoft acquired Skype, and it appeared to include a backdoor functionality.

The malware was a one-time instance that wasn't found elsewhere in the victim's network, but in this case it was being used to steal corporate data by connecting to a Skype-looking account outside the network to various locations around the world.

In the report it has published about all this, HBGary pointed out, "Normally a SkypeKit client would require a certificate to initiate a session with Skype servers. The backdoor contains such a certificate and it is passed to Skype API calls, but this is only for compatibility with the SkypeKit runtime; the modified version of the runtime does not use it for authentication (as verified during analysis by subverting this step). Once authenticated, it waits for incoming message events and treats them as commands.

"If Skype is normally used on the compromised system, network traffic will show nothing unusual."

Butterworth says all this has been the most "peculiar" malware specimen he's seen so far, and it's a warning of how a publicly-available SDK can be used to create malware that hides in plain sight.

"This attack was not advanced in its development, nor did it contain substantial covert aspects to it," the HBGary report concludes. "The attacker knows, when hiding in plain sight and somehow relating to a commonly recognizable program, they are likely able to remain under the radar. This would still be the case for this incident, had it not been for the out-of-band network activity and the criticality of the machine this was present on."

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Read more about wide area network in Network World's Wide Area Network section.

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags HBGaryskypeMicrosoftsecurityanti-malwareWide Area Network

Featured

Slideshows

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

Revealed at a glitzy bash in Sydney at the Ivy Penthouse, the first StorageCraft Partner Awards locally saw the vendor honour its top-performing partners with ASI Solutions, SMBiT Pro, Webroot, ACA Pacific and Soft Solutions New Zealand taking home the top awards. Photos by Maria Stefina.

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards
Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

​Synnex and Lenovo hosted 18 resellers for an action-packed weekend adventure in RotoVegas, taking in white water rafting on the Kaituna River, as well as quad biking and dinner at Stratosfare​, overlooking Lake Rotorua at the top of Mount Ngongotaha​. Photos by Synnex.

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip
Show Comments