• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 

Europol dismantles €460M crypto scam targeting 5,000 victims worldwide

 | 

CISA and U.S. Agencies warn of ongoing Iranian cyber threats to critical infrastructure

 | 

U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog

 | 

Canada bans Hikvision over national security concerns

 | 

Denmark moves to protect personal identity from deepfakes with new copyright law

 | 

Ahold Delhaize data breach affected over 2.2 Million individuals

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Malware
  • Security
  • Social Networks
  • What is the Dorkbot worm that is attacking Skype’s users?

What is the Dorkbot worm that is attacking Skype’s users?

Pierluigi Paganini October 11, 2012

What could happen if a malware compromises a communication system adopted daily by 663 million users (info dated September 2011)? Security experts have spread an alert to Skype users about an ongoing attack that try to induce them to load a link that spreads malware.

The famous voice-over-Internet application is totally changed from its original version created in 2003 by Niklas Zennström and Janus Friis, it has been considered a “tap-proof” channel for years, easy and efficient it is become an indispensable tool of work, and not only, for millions of users all over the world. It has been owned by Microsoft since 2011, and many experts believe that the original architecture is a distant memory, today the powerful application is a commercial communication platform managed by an enterprise too close to the interests of some governments … but this is another history. It’s clear that a so diffused tool is subject of interest for many group of hackers, cyber criminals and state-sponsored specialists, interested to exploit the application to compromise the security of a wide community.

Security firm Trend Micro was the first to alert Skype community on an attack that has infected users spamming their contact lists with messages in both English and German. sending a message like:

“lol is this your new profile pic? h__p://goo.gl/{BLOCKED}5q1sx?img=username”

or

“moin, kaum zu glauben was für schöne fotos von dir auf deinem profil h__p://goo.gl/{BLOCKED}5q1sx?img=username”

The URL sent in the message redirects the user to hotfile.com to download an archive named “Skype_todaysdate.zip” containing a namesake executable file.

Rik Ferguson, director of security research and communication at Trend Micro, in a blog post explained:

 “The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF or WORM_DORKBOT.DN respectively. On installation, this worm may initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet.

These Dorkbot variants will also steal user name and password credentials for a vast array of websites including Facebook, Twitter, Google, PayPal, NetFlix and many others. They can interfere in DNS resolution, insert iFrames into web pages, perform three different kinds of DDoS attack, act as a Proxy server and download and install further malware at the botmaster’s initiation. “

The malware is completed, it has a large number of features that make very versatile the malicious code, it is able to spy on victims and to transform them in offensive agents to use in a DDoS attack. The agent appears really dangerous, it is able to infect victims transforming them in a bot and it is able to install also a ransomware that throws out the user requesting $200 in 48 hours to avoid the file destruction.

The malware opens a backdoor to allow a remote control of the attacker communicating with a remote server via HTTP. According to Sophos post on execution the malware copies itself to

%PROFILE%\Application Data\Jqfsfb.exe
and sets the autostart entry as below:
entry_location = “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”
entry          = “Jqfsfb”
description    = “Skype “
publisher      = “Skype Technologies S.A.”
image          = “c:\documents and settings\support\application data\jqfsfb.exe”
launch_string  = “C:\Documents and Settings\support\Application Data\Jqfsfb.exe”

Dorkbot malware is not new, last year it have been detected several variants spread via common social network platforms such as Facebook or via USB sticks and various instant messaging protocols.

Skype is an excellent vector to spread a malware due its large diffusion especially in workplaces, the machines in this kind of environment are privileged targets because they could be used for cyber espionage and for botnet composition during times not working.

Is it Skype company informed?

Yes, the company has releases an official communication to Sophos Naked Security web site asking it to publish the following statement:

“Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable.”

 

Many colleagues asked me an opinion on the malware, even some have speculated on the possible state-sponsored origin. We are dealing with a clear example of malware used by cyber criminals in the implementation of fraud, so it appears. Analyzing the functionalities of the malware I think it might be a product obtained through subsequent developments from on the original Dorkbot. Is not uncommon to read news of on demand-developments in a model defined as “malware-as-service” , including, for example the possibility to improve infection capabilities as happened for the Zeus malware.

The malware has for example a ransomware feature, but why ask to the victim 200$ if I can steal his banking account or recruit it in a botnet? In my opinion the malware appears as a general purpose product sold to cybercrime to implements different fraud schemas.

How to protect ourselves?

Awareness first of all, user has to be careful every time accepts a connection on Skype and in general on every social network platform. We are daily submerged by messages, request of friendship, video and images …. we must be conscious that behind each of them could be hidden a cyber threat. Do not click on link just for curiosity, avoid to open attachments from unknown and every time you note strange communication coming from your trusted sources inform immediately them, they may have been infected. … And of course keep your defense systems updated!

Pierluigi Paganini


facebook linkedin twitter

botnet cyber espionage Cybercrime DDoS Dorkbot malware malware as service Skype social network platforms state-sponsored Zeus

you might also like

Pierluigi Paganini July 04, 2025
Critical Sudo bugs expose major Linux distros to local Root exploits
Read more
Pierluigi Paganini July 04, 2025
A flaw in Catwatchful spyware exposed logins of +62,000 users
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Critical Sudo bugs expose major Linux distros to local Root exploits

    Security / July 04, 2025

    Google fined $314M for misusing idle Android users' data

    Laws and regulations / July 04, 2025

    A flaw in Catwatchful spyware exposed logins of +62,000 users

    Malware / July 04, 2025

    China-linked group Houken hit French organizations using zero-days

    APT / July 03, 2025

    Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

    Data Breach / July 03, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT