Skype Worm Spreads Ransomware, Botnet Links
Security researchers at Trend Micro and Sophos are warning Skype users to be wary of links that are social-engineered to lead users to malware.Security researchers are warning Skype users about an ongoing attack that dupes people into loading a link that spreads malware According to Trend Micro, the attack has resulted in infected users spamming their contact lists with messages in both English and German. The English version of the message states: "lol is this your new profile pic?" along with a URL. The message in German is similar. In both cases, the shortened URL eventually redirects to a download on hotfile.com that pulls down an archive named "Skype_todaysdate.zip” containing a single executable file of the same name, explained Rik Ferguson, director of security research and communication at Trend Micro, in a blog post. The executable, he added, installs a variant of the Dorkbot worm. "Since we added detection for the two elements of this attack—respectively TROJ_DLOADER.IF for the initial dropper and WORM_DORKBOT.IF for the Dorkbot component—we have upwards of 400 detections in less than 12 hours," he told eWEEK, adding that those statistics only cover Trend Micro customers. "These are represented in every continent with a relatively even spread."
Once on the system, the Dorkbot variant appears to initiate a click fraud scheme and ropes the compromised machine into a botnet, Ferguson noted in his blog post. The malware subsequently installs a ransomware variant that locks the user out of their machine and notifies them that their files have been encrypted and that they will be deleted unless the victim hands over $200 in 48 hours.