Sep 11, 2007

[Security] New Skype worm and rejoinder on URL obfuscation

F-Secure, Trend Micro, and Symantec reports on a new worm spreading via Skype.

The malware is the usual IM variety, propagating by sending links to Skype contacts. The link at face value points to a purportedly harmless JPEG file. But once clicked, a copy of the worm is downloaded and executed on the user's computer. It displays the image SOAP BUBBLES.BMP (if it exists on the user's computer) to hide the malware's existence.

It also exhibits properties common to bot worms, like shutting down security applications and blocking security-related Web sites via HOSTS file modification.

Skype users are advised not to click on links sent via Skype's chat feature, unless they are very sure that the link is legitimate.

Incidentally, in a previous post, I discussed the problems in lack of standards in making malware descriptions. Once again, the lack of standards defeat the purpose of obfuscating malicious URL. Both Trend Micro and F-Secure blog posts on the Skype worm published the malicious URLs that the worm sends. Both employed URL obfuscation, but with different output.

(click on the image to view full size)
On F-Secure:

On Trend Micro:

Based on the two posts, we can determine the complete URL.

No comments:

Post a Comment