Skype Worm Attacks Security Software

Skype is working with domain owners to shut down malicious sites infecting Skype for Windows users via instant messages.

Yet another worm is sticking it to Skype.

The VOIP (voice over IP) companys security team as of Sept. 11 was working with domain owners to shut down malicious sites that are infecting Skype for Windows users with a virus being spread via cleverly composed instant messages.

Initially, Skype was calling the virus w32/Ramex.A, but Finnish security firm FSecure is calling it W32/Skipi.A, whereas Symantec, in Cupertino, Calif., is referring to the worm as W32.Pykspa.D—a new variant in the family of worms called Pykspa.

Infected systems are sending chat messages to other Skype users asking them to click on a link that appears as a harmless .jpeg file. If clicked, the worm then transmits the infection anew.

The worm is camouflaging itself with a bitmap file of soap bubbles—namely, a default bitmap graphic contained in the Windows installation directory. If Skype users see the bubbles image after clicking on a link in a Skype message, Symantec said chances are theyve been infected.

The worm is also practicing self-defense by trying to shut down security software on target machines and by preventing update downloads by disabling access to security-related sites via modifying the hosts file, Symantec said.

According to Symantec, the worm sends a chat message to each contact on the target systems contact list, checking the language settings and translating its message into a variety of languages, including Latvian, Russian and English.

The worm is sending out an array of messages. A selection of the English come-ons:

a ?
haha lol
how are u ? :)
I used photoshop and edited it
look what crazy photo Tiffany sent to me,looks cool
now u populr
oh sry not for u
oops sorry please dont look there :S
really funny
this (happy) sexy one
u happy ?
what ur friend name wich is in photo ?
where I put ur photo :D
you checked ?
your photos looks realy nice

Skypes encrypted VOIP service is a boon for those who want to keep their communications secret or those who want to make cheap calls, but its a major headache for IT administrators.

First, its difficult to detect when its on a network. The service constantly switches which ports it uses, making it very difficult to pin down its whereabouts. Second, once its on the network, it uses its peer-to-peer protocol to set up supernodes using the most efficient paths on a network. Those supernodes change at will with the changing traffic on the Internet, almost like mini switches, and they suck up a ton of bandwidth.

That makes IT administrators nervous, given that they can wake up and have significant chunks of their network bandwidth swallowed up by Skype. From a security standpoint, Skype, based in Luxembourg, gets downright scary, however, given that theres no way to monitor its encrypted protocol to detect worms or other payloads.

F-Secure, Kaspersky Labs and Symantec have already written signatures to detect the Pykspa variant, but they could only do that after the fact—after the worm had managed to get onto a network.

Steve Bannerman, vice president of marketing and product management for Narus, a Mountain View, Calif., provider of carrier-class security for IP networks and services that includes Skype, told eWEEK that the Pykspa worm may well cause a spike in the number of enterprises that are calling their carriers and instructing them to block Skype.


Read more here about how Skypes protection is limited.

"Skype is a security threat in a number of ways: Its ability to embed things into a protocol, [its disruption of] calling services, or it uses supernodes that can have the same effect as a denial of service [attack] on a network," Bannerman said.

He added that Skypes encryption has not only made it impossible to figure out what malware its dragging onto an enterprise network, it has also made it a boon for terrorists and criminals.

"We do a lot of work with governments around world," Bannerman said. "Communications via encrypted P2P protocols like Skype are top of mind with those folks. … Its impossible to wiretap those calls. Theyre encrypted. Standard VOIP calls, or with our cell phones, you can wiretap those calls and listen in. But not with Skype."

Other recent malware to hitch a ride on the Skype VOIP service has included a Trojan named Warezov or Stration that used contact lists to spread to users friends, family and colleagues in late March.

In April, another Skype worm made the rounds, sending a malware link to online friends in Skype users contact lists. Before sending a message containing the malware link, the April Trojan set the infected users status to Do Not Disturb and, as a side effect, silenced calls or message alerts.

For this latest Pykspa variant, Symantec has more information and the complete list of messages it has detected to date in this write-up of the worm.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.