Monday, October 8, 2012

Worm spreading through Skype and Messenger


Since Saturday, there's a worm actively spreading through (mainly) Skype as well as Messenger (Windows Messenger, Microsoft MSN Messenger).

Someone who's infected with this worm will send you the following message:

Message in German asking to check your cool pictures



The link refers to goo.gl and is actually Google's URL Shortener service. You'll land on Hotfile.com, which is a legitimate file sharing website. (it's not the first time Hotfile has been used to spread malware, read more here. The file has already been removed by Hotfile.)

Links refers to Hotfile and will immediately download a ZIP file.




 
Positive thing is that it is a ZIP file and not an EXE. This means the user still has to manually unpack and run the malware. Inside our ZIP file we'll find the following file, which is covered as a Skype setup file:

Looks like the real deal. But it's not.








When executing this file, another file (a random 4 character EXE) will be dropped to the %appdata% folder of the currently logged on user:

The icon suggests it's uTorrent. But it's not.




This file will try to connect to api.wipmania.com, waiting for instructions. Additionally, it tries to connect to the following IP addresses:

74.208.112.178 - IPVoid Result
87.106.98.157 - IPVoid Result
199.15.234.7 - IPVoid Result
213.165.71.142 - IPVoid Result
213.165.71.153 - IPVoid Result
217.160.108.147 - IPVoid Result

Now, how do we know how it spreads and which messages it can display? The file extracted from the ZIP archive - skype_05102012_image.exe looks for the following processes:
msnmsgr.exe
msmsgs.exe
skype.exe


It will then automatically send a message, based on the OS language. It uses the following list to spread:
tas ir jusu jauna profila bildes?
seo do grianghraf prl nua?
ont uusi profiilikuva?
nai aft a fotografa profl sas?
sa kvo profili lusankary aquesta
s la teva nova foto de perfil?
hey ito sa iyong larawan sa profile?
hey lanh tieu cua ban?
hey ini foto profil?
hei zhni de gn zilio zhopin ma?
ni phaph porfil khxng khun?
hej er det din nye profil billede?
hej je to vasa nova slika profila?
hej je to tvuj nov obr zek profilu?
hei er dette din nye profil bilde?
hey la tua immagine del profilo nuovo?
hej to jest twj nowy obraz profil?
hej jeli ovo vasa nova profil skila?
hey bu yeni profil pic?
hej detta är din nya profilbild?
tung, cka paske lyp ti nket fotografi?
moin , kaum zu glauben was für schöne fotos von dir auf deinem profil
hey is dit je nieuwe profielfoto?
ez az j profil ksta tu foto de perfil nuevo?
hey essa sua foto de perfil? rsrsrsrsrsrsrs
hey c'est votre nouvelle photo de profil?
hoi schoni fotis hesch du uf dim profil ppe n
lol is this your new profile pic?



It will then add the link and subsequently adds your username after the equals '=' sign :
http://goo.gl/QYV5H?img=


Let's take a closer look at the files:

skype_05102012_image.exe
Result: 23/44
MD5: 98f74b530d4ebf6850c4bc193c558a98
Anubis Report
Malwr Report
ThreatExper Report


36A9.exe
Result: 16/44
MD5: 0d4b7f4c1731c91dff56afce0ecf37c5
Anubis Report
Malwr Report
ThreatExpert Report


The malware is commonly identified as Worm.Dorkbot and Worm.Agent or Generic Trojan.

Microsoft provides a description:
Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.

On my testmachines there was no additional malware downloaded, even after replicating a few times. Several variants of malware can however always be downloaded, whether it's ransomware, rogueware....



Conclusion

Worms spreading through Facebook, Twitter as well as IRC, MSN and Skype is nothing new. Still, it appears to be very successful as human curiosity wins in cases of doubt:
"Do I really have (embarassing) pictures of myself on this website? Better take a look!"

No, no, no!

Never click on unknown links, especially when a URL shortener service like goo.gl is used. (others are for example t.co, bit.ly, tinyurl, etc.)
Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.

Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and no pictures are shown, but just an EXE file.

For checking what is really behind a short URL, you can use:
http://getlinkinfo.com/
http://longurl.org/

For checking whether a file is malicious or not:
https://www.virustotal.com/
http://virusscan.jotti.org/


16 comments:

  1. How to remove this virus spam? :( lately there's a skype message pop-up in my pc it says skype useful tip, when I clicked allow access. message spammed in my skype contacts. Pls help

    Regards,
    Lawrence

    ReplyDelete
    Replies
    1. Hello lawrence! to remove the spam you must delete your skype completely(if that doesn't work then delete everything related to skype), then use your anti virus to terminate the virus, after that re in stall skype and you should be fine.

      Delete
    2. Greetings Lawrennce,

      M_A_K's above comments hits the nail on the head.

      Best thing to do now is:
      - uninstall Skype
      - perform a scan with Malwarebytes (and an online scan with an antivirus product)
      - change your Skype password (better be safe than sorry!)
      - notify your Skype friends not to click on any links you might have sent out
      - reinstall Skype

      Regards,
      Bart

      Delete
  2. Just a correction, api.wipmania.com is the geoip service the bot uses to find the country code for it's irc nick (US,UK,CA, etc) The real C&C servers would be the ip addresses it tries to visit after that.

    ReplyDelete
  3. Thank you very much for all the useful tip.
    I'm looking forward into the result.

    Thanks a lot,
    Lawrence

    ReplyDelete
  4. I've made a post about the botnet here:
    http://www.exposedbotnets.com/2012/10/venustimeinfopl-ngrbot-irc-botnet.html
    It includes the IRC info if anyone wants to take a look.

    ReplyDelete
  5. Hi, I Followed the link In error and found that the file has been removed from Hotfile. Does this mean that I've had a lucky escape and my computer isn't affected?

    Thanks

    ReplyDelete
    Replies
    1. Hi, if you received the message "File removed by Hotfile" or similar, you are not infected.

      Stay safe,
      Cheers!

      Delete
    2. Thanks Bart! Phew!

      Delete
  6. Hi a work colleague managed to get infected with the worm and we seem to have successfully removed it. My question is - is there any possibility that it can have spread to the company network server?

    ReplyDelete
    Replies
    1. I doubt it, but remember Dorkbot is also able to infect USB drives, so disable autorun in your whole network.

      Also, you can always run a scan on the server in case of doubt.

      Let me know should you have any more questions.

      Delete
  7. Good, informative. Is the link to the web resource hardcoded or the "controllers" behind this one are able to update it ?

    ReplyDelete
    Replies
    1. It was hardcoded, but that doesn't mean they can't generate new droppers ;).

      Delete
  8. My, such virus is spreading. Thank you very much for the heads up as well as the information you have provided. This calls for an anti-spam application to avoid further viruses from invading.

    ReplyDelete
  9. This would indeed be nice features. visit more info Skype Help.

    ReplyDelete