Malware targeting Skype missed a trick

Last week reports came out stating that the Dorkbot worm is now targeting Skype users. The worm fools users into downloading the malware, whose payload locks down machines. Once infected, users' contact lists are pinged with the message "LOL is this your new profile pic?" and a .zip file.

When the .zip file is clicked it opens a backdoor and installs the worm. The machine is then enlisted into a botnet and users are asked to make a $200 payment within 24 to 48 hours in order to receive their files back.

This ransomware aspect of the worm is a new element compared to the previous strains that affected Facebook and Twitter.

Dominique Karg, Chief Hacking officer from AlienVault, comments on why he thinks the Dorkbot will not be as effective as it could have been:

“There are three things about this worm that surprises me:

Firstly, the phrase "LOL is this your new profile pic?" makes it look like this is targeted at a younger segment of the population. Therefore really narrowing down on the victims.

If the target is the younger generation then $200 seems like a lot of money for that "target" audience. Why not make it $50? I think a lot more people who have contacts who would send them a .zip file with a "LOL is this your new profile pic?" message would pay $50 or $100 rather than $200. And I'm thinking about the US here. $200 in some other countries is a small fortune...

Why the 24/48 hour timeframe? Are the authors trying to urge people into paying before the malware gets deleted? The harm is done anyway at this point, deleting the malware won't get the files back, as far as I know, so why the urge?

This malware doesn't exploit any system vulnerability; it exploits trust so with the right message they could have got a lot more people to be fooled into executing the program (worm). We always warn people to disregard attachments from unknown people. However, in this case this file is being sent from your trusted ‘buddies’.

It surprises me that the people who have written this malware have not made the message change depending on the target. If the target's name is 2 words, then they could have put something more serious, like "please don't share this but I wanted you to have it", while to a 1 word destination (much more likely to be a nickname or a "buddy") they could have sent the above message.

Finally, in Skype you can also see the local time for your contacts, which should give you a rough idea of where they are located at "wealth" wise, therefore enabling them to adjust the ransom accordingly. The writers of this malware are definitely missing a trick."

New TDL4 rootkit successfully hiding from AV

A new variant of TDL4 has been identified, and it is now ranked as the second most prevalent malware strains within two months since detection.



The characteristics are similar to the iteration of the TDL4 rootkit, detected by Damballa a month ago. Damballa picked it up through its network behavioural analysis software, which detected the generated domain names that this new TDL4 variant apparently uses for command-and-control communication.

Since Damballa could only determine the existence of the new malware by looking for domain fluxing, it was concluded that no binary samples of the new malware had been identified and categorised by commercial antivirus products operating at the host or network levels.

HitmanPro, however, has detected Sst.c – also known as Maxss, a modification of the TDL4 strain and it is spreading fast.

This new variant is capable of infecting the Volume Boot Record (VBR) (also known as Partition Table), and commercial antivirus products are unable to detect it, let alone remove the malware.

Joseph Souren, Vice President and GM Wave Systems EMEA, has provided the following commentary:

“Following the success of TDL4, hackers have been able to use the rootkit to develop new variants that continue to go undetected by antivirus. The latest iteration, dubbed Sst.c, infects the Volume Boot Record.

Without embedded hardware security to detect anomalies of behaviour in the boot process, it starts to cause havoc damaging the network. It also reduces the window of detection for the enterprise to contain the threat.

The best defence is based on the Trusted Platform Module (TPM) chip. The TPM stores the signatures of critical start-up components of the machine, and the ones that are most important are used early in the boot process before the antivirus initiates.

By utilising TPMs, the enterprise can collect data from the computers and correlate computer information that is not visible for traditional malware scanning software. The IT manager is alerted when unwanted changes are detected.

It’s undoubtedly not the last we will hear of these types of Advanced Persistent Threats (APT) and activating and managing embedded hardware security is the only way to detect these attacks early enough to prevent damage to the network.