Skype Worm Spreads Ransomware, Botnet Links

Security researchers at Trend Micro and Sophos are warning Skype users to be wary of links that are social-engineered to lead users to malware.

Security researchers are warning Skype users about an ongoing attack that dupes people into loading a link that spreads malware

According to Trend Micro, the attack has resulted in infected users spamming their contact lists with messages in both English and German. The English version of the message states: "lol is this your new profile pic?" along with a URL. The message in German is similar.

In both cases, the shortened URL eventually redirects to a download on that pulls down an archive named "” containing a single executable file of the same name, explained Rik Ferguson, director of security research and communication at Trend Micro, in a blog post. The executable, he added, installs a variant of the Dorkbot worm.

"Since we added detection for the two elements of this attack—respectively TROJ_DLOADER.IF for the initial dropper and WORM_DORKBOT.IF for the Dorkbot component—we have upwards of 400 detections in less than 12 hours," he told eWEEK, adding that those statistics only cover Trend Micro customers. "These are represented in every continent with a relatively even spread."

Once on the system, the Dorkbot variant appears to initiate a click fraud scheme and ropes the compromised machine into a botnet, Ferguson noted in his blog post. The malware subsequently installs a ransomware variant that locks the user out of their machine and notifies them that their files have been encrypted and that they will be deleted unless the victim hands over $200 in 48 hours.

Ransomware has been on the rise of late. According to security vendor McAfee, the number of new ransomware samples increased by roughly 50 percent between the first and second quarters of the year. All totaled, the number of new ransomware threats jumped to more than 120,000 during the second quarter.

Graham Clulely, senior technology consultant at Sophos, noted that there have been many variants of the Dorkbot attack spotted in the last year or so through Facebook and Twitter.

"The threat can also spread via USB sticks, and various instant messaging protocols," he blogged. "The danger is, of course, that Skype users may be less in the habit of being suspicious about links sent to them than, say, Facebook users. Always remember to be suspicious of unsolicited out-of-character messages sent to you by your online friends. You don't know that it was a friend who sent you the message, all you know is that it was their account which posted it to you ... and who knows if it was compromised or not?"

In a statement, Skype said it is aware of the attack.

"Skype takes the user experience very seriously, particularly when it comes to security," a spokesperson told eWEEK. "We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links—even when from your contacts—that look strange or are unexpected is not advisable."