Menu
Skype-based malware shows how 'peculiar' malicious code can be

Skype-based malware shows how 'peculiar' malicious code can be

A creative attacker used a modified version of the old Skype SDK and turned it into a remote-access Trojan

Malware often does strange things, but this one -- which looked like Skype installed on a corporate domain controller -- was most "peculiar," says Jim Butterworth, a security expert at ManTech International, whose security subsidiary HBGary recently found the custom-designed remote-access Trojan on a customer's network.

The Skype-looking specimen first seemed to simply be supporting Skype communications traffic, but it was installed in an unusual directory location and configured to operate as a standalone VoIP application. One of the tip-offs that it was malware was the strange network traffic spike occurring during off-peak hours and difficulties that systems administrators had getting to the domain controller. A close look at the Skype specimen in the executables removed from the domain controller showed a creative attacker had used a modified version of the old Skype software development kit (SDK) and turned it into a remote-access Trojan to steal corporate data.

This malicious software had accomplished what some had predicted about eight years ago could be done to exploit Skype when "researchers discovered the ability to use Skype as a remote-control procedure," says Butterworth, executive director of commercial services at ManTech.

+ ALSO ON NETWORK WORLD Microsoft finally rolls out Skype-Outlook integration for all users +

The malware had been designed using a modified version of the old "SkypeKit" SDK which existed before Microsoft acquired Skype, and it appeared to include a backdoor functionality.

The malware was a one-time instance that wasn't found elsewhere in the victim's network, but in this case it was being used to steal corporate data by connecting to a Skype-looking account outside the network to various locations around the world.

In the report it has published about all this, HBGary pointed out, "Normally a SkypeKit client would require a certificate to initiate a session with Skype servers. The backdoor contains such a certificate and it is passed to Skype API calls, but this is only for compatibility with the SkypeKit runtime; the modified version of the runtime does not use it for authentication (as verified during analysis by subverting this step). Once authenticated, it waits for incoming message events and treats them as commands.

"If Skype is normally used on the compromised system, network traffic will show nothing unusual."

Butterworth says all this has been the most "peculiar" malware specimen he's seen so far, and it's a warning of how a publicly-available SDK can be used to create malware that hides in plain sight.

"This attack was not advanced in its development, nor did it contain substantial covert aspects to it," the HBGary report concludes. "The attacker knows, when hiding in plain sight and somehow relating to a commonly recognizable program, they are likely able to remain under the radar. This would still be the case for this incident, had it not been for the out-of-band network activity and the criticality of the machine this was present on."

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Read more about wide area network in Network World's Wide Area Network section.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftskypeanti-malwareWide Area NetworkHBGary

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments