VoIPowering Your Office: Skype Worm�Trouble in VoIPland

This malware invades Windows PCs on the back of Skype IMs, turning them into witless, bot-like accomplices.

By Carla Schroder | Posted Sep 17, 2007
Page of   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Well, here we go again—yet another worm infestation hits Windows PCs via Skype Instant Messenger. And as usual, Windows rolls out the welcome mat, welcoming and spreading it with happy abandon. Information about this new worm is still coming in, but it appears that the Skype network is the carrier, that the worm uses the Skype API (application programming interface), and that, as usual, the core problem is that Microsoft Windows is far too accepting of foreign malicious code. It is infected with trivial ease, and doesn't even have the ability to determine the true filetype of files. Which in this here 21st century is rather backward.

The various security vendors give this worm different names. Symantec calls it W32.Pykspa.D; FSecure and Trend Micro give it the jaunty, cowboy-esque title of WORM_SKIPI.A, and MacAfee says it's W32/Pykse.worm.b. Interestingly, Symantec rates it "low risk". This is an incorrect assessment, as we'll see in a moment.

What does this worm do? Nothing destructive, which is typical of modern malware. They don't want to destroy systems, but conscript them into botnets and use them to spew forth spam, phishes, and other malware. Sort of like a gang of hoodlums taking over your house as their headquarters.


Prod interface
Figure 1.

SKIPI.A distributes itself via Skype Instant Messenger and removable drives, like USB pen drives, and Compact Flash and SD cards. It starts out by hijacking your Skype contacts, and then sends them a (reportedly) convincingly-written chat message that sets your friends up to download the file. The message includes a URL to one of several infected Web sites. Naturally I couldn't resist taking a look, so I fired up the Konqueror Web browser on my Debian Linux PC and visited a couple of infected links. When you click the link, you are asked if you want to download the file. Figure 1 shows what this looks like.

Savvy computer users see instantly that something is wrong. It's not an image file, but a BIN, or binary file. The true filename is revealed, and it's one that should send up red flags. .scr files are supposed to be Windows screensavers, but unfortunately it's a popular executable format for viruses and other malware.

As soon as the file is downloaded it gets busily to work installing multiple copies of itself under different names, modifying the Windows Registry, looking for removable media to hitch a ride on, hijacking Skype contacts and sending those "clever" chat messages to them, and disabling your security software. Some reports indicate that it sets the infected user's Skype status to Do Not Disturb or Invisible. I'm not sure how this benefits the worm—maybe it likes peace and quiet.

I wonder what world the people who call this a "convincingly written chat message" live in—here is an excerpt:

# look what crazy photo Tiffany sent to me,looks cool
# matai :D
# now u populr
# oh sry not for u
# oops sorry please don't look there :S
# pala biski
# patinka?
# really funny
# this (happy) sexy one
# u happy ?
# what ur friend name wich is in photo ?
# where I put ur photo :D

Now, really. Clever?

The good folks at Skype got right on this issue and have been hard at work getting the word out, trying to get the infected sites shut down, and telling customers how to repair their systems since early yesterday (September 10th) but as of this writing, (September 11th), several of the infected sites are still up.

Genuine Security
Few people have a clear view of what good computer security is, and a lot of the tech media don't help clear the fog very well. They're afraid of clever, evil, Hollywood-style computer crackers breaking into their systems remotely. But the real danger is bad software that is simply not secure-able. As long as you have any Windows systems exposed to untrusted networks you will have problems. The best firewalls in the world are ineffective against malware that rides in via email, infected Web sites, and instant messaging. Anti-malware software is reactive—it cannot protect you from future threats, as this Skype worm demonstrates. It is unrealistic to expect your users to be security experts (though for gosh sakes, they could wise up a little bit); the better course of action is to give them secure computers.

In VoIPowering Your Office: Encrypting VoIP Calls and VoIPowering Your Office: Encrypting VoIP Calls (Part 2) we learned how easy it is to eavesdrop on VoIP traffic, and what the future holds for secure encryption of VoIP traffic. Which is all well and good, but the best encryption protocols in the world are helpless against an infected PC. They don't foil keystroke loggers, and they don't stop the busy little worms that roam unimpeded through the guts of an operating system, doing whatever they want.

If you really, really want to use secure computer systems, use Mac OS X, Linux, PC-BSD, or FreeBSD. These are far more secure, and more secure-able. Rather than following the Windows model of trying to sail a sieve, these are stout, reliable operating systems that do not roll out the red carpet to malware. Of course they're not perfect- but the difference is like night and day. I rather suspect that most of us would like our VoIP networks to be more than just shiny new malware highways.

Resources
On the worm that affects Skype for Windows users
dsc027.scr virus explained -- including removal instructions, I was infected too (sigh), so I took a few hours to research the virus
W32.Pykspa.D
Secure Malware Information Pages: IM-Worm:W32/Skipi.A
WORM_SKIPI.A

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter