Well, here we go again—yet another worm infestation hits Windows PCs
via Skype Instant Messenger. And as usual, Windows rolls out the welcome mat,
welcoming and spreading it with happy abandon. Information about this new worm
is still coming in, but it appears that the Skype network is the carrier, that
the worm uses the Skype API (application programming interface), and that, as
usual, the core problem is that Microsoft Windows is far too accepting of foreign
malicious code. It is infected with trivial ease, and doesn’t even have the
ability to determine the true filetype of files. Which in this here 21st century
is rather backward.
The various security vendors give this worm different names. Symantec calls
it W32.Pykspa.D; FSecure and Trend Micro give it the jaunty, cowboy-esque title
of WORM_SKIPI.A, and MacAfee says it’s W32/Pykse.worm.b. Interestingly, Symantec
rates it “low risk”. This is an incorrect assessment, as we’ll see in a moment.
What does this worm do? Nothing destructive, which is typical of modern malware. They don’t want to destroy systems, but conscript them into botnets and use them to spew forth spam, phishes, and other malware. Sort of like a gang of hoodlums taking over your house as their headquarters.
SKIPI.A distributes itself via Skype Instant Messenger and removable drives,
like USB pen drives, and Compact Flash and SD cards. It starts out by hijacking
your Skype contacts, and then sends them a (reportedly) convincingly-written
chat message that sets your friends up to download the file. The message includes
a URL to one of several infected Web sites. Naturally I couldn’t resist taking
a look, so I fired up the Konqueror Web browser on my Debian Linux PC and visited
a couple of infected links. When you click the link, you are asked if you want
to download the file. Figure 1 shows what this looks like.
Savvy computer users see instantly that something is wrong. It’s not an image file, but a BIN, or binary file. The true filename is revealed, and it’s one that should send up red flags. .scr files are supposed to be Windows screensavers, but unfortunately it’s a popular executable format for viruses and other malware.
As soon as the file is downloaded it gets busily to work installing multiple
copies of itself under different names, modifying the Windows Registry, looking
for removable media to hitch a ride on, hijacking Skype contacts and sending
those “clever” chat messages to them, and disabling your security software.
Some reports indicate that it sets the infected user’s Skype status to Do Not
Disturb or Invisible. I’m not sure how this benefits the worm—maybe it likes
peace and quiet.
I wonder what world the people who call this a “convincingly
written chat message” live in—here is an excerpt:
# look what crazy photo Tiffany sent to me,looks cool
# matai 😀
# now u populr
# oh sry not for u
# oops sorry please don’t look there :S
# pala biski
# really funny
# this (happy) sexy one
# u happy ?
# what ur friend name wich is in photo ?
# where I put ur photo 😀
Now, really. Clever?
The good folks at Skype got right on this issue and have been hard at work
getting the word out, trying to get the infected sites shut down, and telling
customers how to repair their systems since early yesterday (September 10th)
but as of this writing, (September 11th), several of the infected sites are
Few people have a clear view of what good computer security is, and a lot of
the tech media don’t help clear the fog very well. They’re afraid of clever,
evil, Hollywood-style computer crackers breaking into their systems remotely.
But the real danger is bad software that is simply not secure-able. As long
as you have any Windows systems exposed to untrusted networks you will have
problems. The best firewalls in the world are ineffective against malware that
rides in via email, infected Web sites, and instant messaging. Anti-malware
software is reactive—it cannot protect you from future threats, as this Skype
worm demonstrates. It is unrealistic to expect your users to be security experts
(though for gosh sakes, they could wise up a little bit); the better course
of action is to give them secure computers.
In VoIPowering Your Office: Encrypting VoIP Calls and VoIPowering Your Office: Encrypting VoIP Calls (Part 2) we learned how easy it is to eavesdrop on VoIP traffic, and what the future holds for secure encryption of VoIP traffic. Which is all well and good, but the best encryption protocols in the world are helpless against an infected PC. They don’t foil keystroke loggers, and they don’t stop the busy little worms that roam unimpeded through the guts of an operating system, doing whatever they want.
If you really, really want to use secure computer systems, use Mac OS X, Linux,
PC-BSD, or FreeBSD. These are far more secure, and more secure-able. Rather
than following the Windows model of trying to sail a sieve, these are stout,
reliable operating systems that do not roll out the red carpet to malware. Of
course they’re not perfect- but the difference is like night and day. I rather
suspect that most of us would like our VoIP networks to be more than just shiny
new malware highways.
On the worm that affects Skype for Windows users
dsc027.scr virus explained — including removal instructions, I was infected too (sigh), so I took a few hours to research the virus
Secure Malware Information Pages: IM-Worm:W32/Skipi.A