Password-Stealing Trojan Targets Skype

By Lisa Vaas  |  Posted 2007-10-17 Print this article Print

A Trojan poses as a security plug-in, displaying a fake Skype log-in screen almost identical to the real thing.

A password-stealing Trojan is targeting Skype, posing as a security plug-in for the popular VOIP and IM service and displaying a fake log-in screen thats almost identical to the real thing. McAfees Avert Labs is identifying the Trojan as PWS-Pykse, F-Secure is referring to it as Trojan-Spy.Win32.Skyper.B and Skype is calling it 65404-SkypeDefenderSetup.exe. The Trojan, which identifies itself as a plug-in called "Skype-Defender," is attempting to steal Skype user names and passwords, along with all user names and passwords saved in Internet Explorer.
According to a blog posted on Oct. 17 by Avert Labs, headquartered in Santa Clara, Calif., the malware isnt spreading by itself. Rather, its author is posting it on "dodgy" sites or forums and relying on users to be tricked into executing it. After execution, the Trojan disables running instances of Skype and swaps in its fake Skype log-in window. If the victim enters a user name and password, the malware captures them and any others saved in IE and posts the information via HTTP to a Web site for the malware author to retrieve.
One way to distinguish Skypes real log-in from Skype Defenders bogus version is that none of the hyperlinks work on the fake log-in screen. However, "Most people dont necessarily check," said McAfee Avert Labs Security Research and Communications Manager Dave Marcus. "Theyll just probably enter their name, log in, and boom, they have their password stolen." Another way to distinguish the phony log-in screen is that its sign-in button has a metallic gray border, whereas on Skypes legitimate log-in screen, the button has a red border. Marcus told eWEEK in an interview that this particular Trojan is approximately the 12th piece of malware that McAfee has identified as targeting Skype. One of the more recent examples was a worm Symantec referred to as W32.Pykspa.D that in September was infecting Skype for Windows users with a virus spread via cleverly composed instant messages. Infected systems were sending chat messages to other Skype users asking them to click on a link that appeared to be a harmless JPEG file. If the link was clicked, the worm then transmitted the infection. Those who worry about network security tend to dislike Skype. They cite the services ability to embed things into a protocol, its disruption of calling services and the fact that it uses supernodes that can have the same effect as a denial-of-service attack on a network as reasons to avoid its use in the enterprise. It is also said that Skypes encryption makes it impossible to figure out what malware its dragging onto an enterprise network. Other recent malware to hitch a ride on the Skype VOIP (voice-over-IP) service has included a Trojan named Warezov or Stration that used contact lists to spread to users friends, family and colleagues in late March. In April, another Skype worm made the rounds, sending a malware link to online friends in Skype users contact lists. Before sending a message containing the malware link, the April Trojan set the infected users status to Do Not Disturb and, as a side effect, silenced calls or message alerts. Security researchers and Skype are recommending that users update their anti-virus detections to avoid infection. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel