Menu
Skype-based malware shows how 'peculiar' malicious code can be

Skype-based malware shows how 'peculiar' malicious code can be

A creative attacker used a modified version of the old Skype SDK and turned it into a remote-access Trojan

Malware often does strange things, but this one -- which looked like Skype installed on a corporate domain controller -- was most "peculiar," says Jim Butterworth, a security expert at ManTech International, whose security subsidiary HBGary recently found the custom-designed remote-access Trojan on a customer's network.

The Skype-looking specimen first seemed to simply be supporting Skype communications traffic, but it was installed in an unusual directory location and configured to operate as a standalone VoIP application. One of the tip-offs that it was malware was the strange network traffic spike occurring during off-peak hours and difficulties that systems administrators had getting to the domain controller. A close look at the Skype specimen in the executables removed from the domain controller showed a creative attacker had used a modified version of the old Skype software development kit (SDK) and turned it into a remote-access Trojan to steal corporate data.

This malicious software had accomplished what some had predicted about eight years ago could be done to exploit Skype when "researchers discovered the ability to use Skype as a remote-control procedure," says Butterworth, executive director of commercial services at ManTech.

+ ALSO ON NETWORK WORLD Microsoft finally rolls out Skype-Outlook integration for all users +

The malware had been designed using a modified version of the old "SkypeKit" SDK which existed before Microsoft acquired Skype, and it appeared to include a backdoor functionality.

The malware was a one-time instance that wasn't found elsewhere in the victim's network, but in this case it was being used to steal corporate data by connecting to a Skype-looking account outside the network to various locations around the world.

In the report it has published about all this, HBGary pointed out, "Normally a SkypeKit client would require a certificate to initiate a session with Skype servers. The backdoor contains such a certificate and it is passed to Skype API calls, but this is only for compatibility with the SkypeKit runtime; the modified version of the runtime does not use it for authentication (as verified during analysis by subverting this step). Once authenticated, it waits for incoming message events and treats them as commands.

"If Skype is normally used on the compromised system, network traffic will show nothing unusual."

Butterworth says all this has been the most "peculiar" malware specimen he's seen so far, and it's a warning of how a publicly-available SDK can be used to create malware that hides in plain sight.

"This attack was not advanced in its development, nor did it contain substantial covert aspects to it," the HBGary report concludes. "The attacker knows, when hiding in plain sight and somehow relating to a commonly recognizable program, they are likely able to remain under the radar. This would still be the case for this incident, had it not been for the out-of-band network activity and the criticality of the machine this was present on."

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Read more about wide area network in Network World's Wide Area Network section.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags HBGaryskypeMicrosoftsecurityanti-malwareWide Area Network

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Show Comments