What is the Dorkbot worm that is attacking Skype’s users?

Pierluigi Paganini October 11, 2012

What could happen if a malware compromises a communication system adopted daily by 663 million users (info dated September 2011)? Security experts have spread an alert to Skype users about an ongoing attack that try to induce them to load a link that spreads malware.

The famous voice-over-Internet application is totally changed from its original version created in 2003 by Niklas Zennström and Janus Friis, it has been considered a “tap-proof” channel for years, easy and efficient it is become an indispensable tool of work, and not only, for millions of users all over the world. It has been owned by Microsoft since 2011, and many experts believe that the original architecture is a distant memory, today the powerful application is a commercial communication platform managed by an enterprise too close to the interests of some governments … but this is another history. It’s clear that a so diffused tool is subject of interest for many group of hackers, cyber criminals and state-sponsored specialists, interested to exploit the application to compromise the security of a wide community.

Security firm Trend Micro was the first to alert Skype community on an attack that has infected users spamming their contact lists with messages in both English and German. sending a message like:

“lol is this your new profile pic? h__p://goo.gl/{BLOCKED}5q1sx?img=username”

or

“moin, kaum zu glauben was für schöne fotos von dir auf deinem profil h__p://goo.gl/{BLOCKED}5q1sx?img=username”

The URL sent in the message redirects the user to hotfile.com to download an archive named “Skype_todaysdate.zip” containing a namesake executable file.

Rik Ferguson, director of security research and communication at Trend Micro, in a blog post explained:

 “The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF or WORM_DORKBOT.DN respectively. On installation, this worm may initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet.

These Dorkbot variants will also steal user name and password credentials for a vast array of websites including Facebook, Twitter, Google, PayPal, NetFlix and many others. They can interfere in DNS resolution, insert iFrames into web pages, perform three different kinds of DDoS attack, act as a Proxy server and download and install further malware at the botmaster’s initiation. “

The malware is completed, it has a large number of features that make very versatile the malicious code, it is able to spy on victims and to transform them in offensive agents to use in a DDoS attack. The agent appears really dangerous, it is able to infect victims transforming them in a bot and it is able to install also a ransomware that throws out the user requesting $200 in 48 hours to avoid the file destruction.

The malware opens a backdoor to allow a remote control of the attacker communicating with a remote server via HTTP. According to Sophos post on execution the malware copies itself to

%PROFILE%\Application Data\Jqfsfb.exe
and sets the autostart entry as below:
entry_location = “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”
entry          = “Jqfsfb”
description    = “Skype “
publisher      = “Skype Technologies S.A.”
image          = “c:\documents and settings\support\application data\jqfsfb.exe”
launch_string  = “C:\Documents and Settings\support\Application Data\Jqfsfb.exe”

Dorkbot malware is not new, last year it have been detected several variants spread via common social network platforms such as Facebook or via USB sticks and various instant messaging protocols.

Skype is an excellent vector to spread a malware due its large diffusion especially in workplaces, the machines in this kind of environment are privileged targets because they could be used for cyber espionage and for botnet composition during times not working.

Is it Skype company informed?

Yes, the company has releases an official communication to Sophos Naked Security web site asking it to publish the following statement:

“Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable.”

 

Many colleagues asked me an opinion on the malware, even some have speculated on the possible state-sponsored origin. We are dealing with a clear example of malware used by cyber criminals in the implementation of fraud, so it appears. Analyzing the functionalities of the malware I think it might be a product obtained through subsequent developments from on the original Dorkbot. Is not uncommon to read news of on demand-developments in a model defined as “malware-as-service” , including, for example the possibility to improve infection capabilities as happened for the Zeus malware.

The malware has for example a ransomware feature, but why ask to the victim 200$ if I can steal his banking account or recruit it in a botnet? In my opinion the malware appears as a general purpose product sold to cybercrime to implements different fraud schemas.

How to protect ourselves?

Awareness first of all, user has to be careful every time accepts a connection on Skype and in general on every social network platform. We are daily submerged by messages, request of friendship, video and images …. we must be conscious that behind each of them could be hidden a cyber threat. Do not click on link just for curiosity, avoid to open attachments from unknown and every time you note strange communication coming from your trusted sources inform immediately them, they may have been infected. … And of course keep your defense systems updated!

Pierluigi Paganini



you might also like

leave a comment