Worm spreading on Skype IM installs ransomware

JMH · Oct 8, 2012

A malicious worm spreading through Skype instant messages threatens to take control of a victim's machine and hold its contents for ransom.

The issue, which was first brought to light Friday by GFI, tricks users into downloading a ZIP file by displaying the socially-engineered message, "lol is this your new profile pic?" along with a link that also spreads the message to other Skype users. The ZIP filed contains an executable file that installs a variant of the Dorkbot worm and creating a backdoor via "Blackhole," an exploit kit used by criminals to infect computers through security holes.

http://news.cnet.com/8301-1009_3-57...?part=rss&tag=feed&subj=News-Security&Privacy

AceInfinity · Oct 9, 2012

...I did some debugging on a specific ransomware trojan a while back, it was an interesting look at how smart some of these people are. It could've bypassed the detection of being considered a trojan the entire time (by the person themselves), and even after it was removed because it was designed not to take a malware expert to remove it. In face, it would remove itself, and that's the hard thing to understand at first, but there's a key reason for that. For the fact that it was specifically designed to look like something that Microsoft would've implemented for a security measure on your computer. Something on boot before login that would display something about data on your computer being insecure or your key being invalid.

Then this is where it got smart.... :)

Note: They expect you to call a specific phone number to get it fixed; in order to retrieve a key from "Microsoft" to put in, so that you can get your computer back, along with all the files on your hard drive. (Even if you didn't phone though, after about 3 inputs regardless of what that key was, it would give you your system back.)

While you phone in numerous times though, you'd get an automated voice saying "please hold..." so that they could keep you on that line for about 5 minutes, basically slowing down the process for everything. And after about a planned estimated time of 15 minutes, per every person dealing with this ransomware . That one extended phone call would be making people money, because of how far it was reaching out, to some foreign country. (Not sure of how the details were on profitting from it, but this was the idea behind it all.)

You'd get your system back however, and probably have no clue that any of this was really going on. Btw, this was from a proclaimed firefox upgrade, because the involved hackers I believe hacked into the FTP for their website and uploaded their own maliciously modified file in replace of the official featured download on their site. Thus no need to change any of the HTML, or any link on the page.

Search

Search

Worm spreading on Skype IM installs ransomware

JMH

Emeritus, Contributor

AceInfinity

Emeritus, Contributor