Password-Stealing Trojan Targets Skype

A Trojan poses as a security plug-in, displaying a fake Skype log-in screen almost identical to the real thing.

A password-stealing Trojan is targeting Skype, posing as a security plug-in for the popular VOIP and IM service and displaying a fake log-in screen thats almost identical to the real thing.

McAfees Avert Labs is identifying the Trojan as PWS-Pykse, F-Secure is referring to it as Trojan-Spy.Win32.Skyper.B and Skype is calling it 65404-SkypeDefenderSetup.exe.

The Trojan, which identifies itself as a plug-in called "Skype-Defender," is attempting to steal Skype user names and passwords, along with all user names and passwords saved in Internet Explorer.

According to a blog posted on Oct. 17 by Avert Labs, headquartered in Santa Clara, Calif., the malware isnt spreading by itself. Rather, its author is posting it on "dodgy" sites or forums and relying on users to be tricked into executing it. After execution, the Trojan disables running instances of Skype and swaps in its fake Skype log-in window. If the victim enters a user name and password, the malware captures them and any others saved in IE and posts the information via HTTP to a Web site for the malware author to retrieve.

One way to distinguish Skypes real log-in from Skype Defenders bogus version is that none of the hyperlinks work on the fake log-in screen.

However, "Most people dont necessarily check," said McAfee Avert Labs Security Research and Communications Manager Dave Marcus. "Theyll just probably enter their name, log in, and boom, they have their password stolen."

Another way to distinguish the phony log-in screen is that its sign-in button has a metallic gray border, whereas on Skypes legitimate log-in screen, the button has a red border.

Marcus told eWEEK in an interview that this particular Trojan is approximately the 12th piece of malware that McAfee has identified as targeting Skype.

One of the more recent examples was a worm Symantec referred to as W32.Pykspa.D that in September was infecting Skype for Windows users with a virus spread via cleverly composed instant messages. Infected systems were sending chat messages to other Skype users asking them to click on a link that appeared to be a harmless JPEG file. If the link was clicked, the worm then transmitted the infection.

Those who worry about network security tend to dislike Skype. They cite the services ability to embed things into a protocol, its disruption of calling services and the fact that it uses supernodes that can have the same effect as a denial-of-service attack on a network as reasons to avoid its use in the enterprise. It is also said that Skypes encryption makes it impossible to figure out what malware its dragging onto an enterprise network.

Other recent malware to hitch a ride on the Skype VOIP (voice-over-IP) service has included a Trojan named Warezov or Stration that used contact lists to spread to users friends, family and colleagues in late March.

In April, another Skype worm made the rounds, sending a malware link to online friends in Skype users contact lists. Before sending a message containing the malware link, the April Trojan set the infected users status to Do Not Disturb and, as a side effect, silenced calls or message alerts.

Security researchers and Skype are recommending that users update their anti-virus detections to avoid infection.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.