Scams spreading through Skype

I got a message today on Skype to check out an eBay page with my name on. Sounds great!

Hey $name! Look http://www.ebay.com/new/$username

Another example is:

However, the link was not exactly pointing to eBay:

Not eBay, but what appears to be google.dj

Turns out the actual link behind the eBay one is pointing to:

What follows after is for tracking and to disable the Redirect notice message from Google. For those who are curious, google.dj is a legitimate website of Google for the African country Djibouti.

The what seems to be random numbers is actually just hex for:

When you click the link, you will simply do a Google search for that webpage and visit it. This does not mean google.dj is compromised in any way. As an example, you can use the same link but instead use google.com instead of google.dj.

On the lengthy site mentioned above, you'll get a Javascript which you can view on this Pastebin link:
Scams spreading through Skype
(In short, it does a simple math.random method to serve you a slightly different website each time.)

Fiddler capture

Eventually, you'll end up on a typical weight loss scam website:

Obviously not the real Women's Health website

Trying to leave the website

Long story short.....


Prevention

Install the WOT extension into your browser. (Compatible with most modern browsers)
WOT is a community-based tool and is therefore very useful for these kinds of scams, whereas other users can warn you about the validity.

Use a strong password for Skype and anything else for that matter.

Don't click on "funny" links. A trick is to "hover" on the link to reveal the actual website behind it.



Disinfection

Close your browser.

Change your Skype password immediately. How do I change my password?

If the message came from an unknown contact, How do I report abuse by someone in Skype?

If the message came from a friend, be sure to notify him/her and to follow the steps in this post.

To be sure, you can always run a scan with your favorite antivirus and/or antimalware product. (however, I have not seen any malware in this particular campaign)


Conclusion

In the past, malware has spread via Skype, but this is the first time I'm seeing a scam presented in this way. I have contacted Skype to ask how they were able to hide the actual website behind the eBay link, as I do not know - if you do, be sure to let me know in the comments.

Also, follow the steps above to stay safe.

Malware spreading via Skype

Malware spreads via Skype. Just sends the file to all your contacts, nothing more, nothing less. (no message to invite you to check out "photos", no call, ...)


### Analysis ###

Known MD5's:
293cc1f379c4fc81a7584c40f7c82410
66def80d6f87f6f79156557172f9f295

Callback to IP's:
88.150.177.162

Callback to domains:
Random & partial DGA(1) - Pattern:
http://%random%.aingo.cc

Persistence:
Creates key in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Injects into:
explorer.exe
Sets Proxy:
Yes


Type of malware: Caphaw - Banking malware


Technical details ~~

Meta-data
================================================================================
File:    /home/remnux/samples/invoice_171658.pdf.exe_
Size:    360448 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5:     293cc1f379c4fc81a7584c40f7c82410
SHA1:    7bb5b71513e01c2095d37f42c64982a3edb523b5
ssdeep:  3072:fkrImDVQFgEHQPqviUBSnk92oKMcs3JVJXnGcYHmZ52ZgMed1pJ8t/Jpm3dDlnx/:MkpCEwCvi2b92NMxBnUmyZ9o1z8tL
Date:    0x52739069 [Fri Nov  1 11:28:41 2013 UTC]
EP:      0x401270 .text 0/4
CRC:     Claimed: 0x5eb47, Actual: 0x5eb47

Resource entries
================================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_CURSOR          0x532b0  0x134    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_BITMAP          0x536c0  0x1eec   LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_BITMAP          0x555b0  0x4e8    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x55a98  0x128    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_ICON            0x55bc0  0xea8    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x56a68  0x568    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_ICON            0x56fd0  0x10a8   LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x58078  0x468    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_GROUP_CURSOR    0x533e8  0x14     LANG_RUSSIAN SUBLANG_RUSSIAN          Lotus 1-2-3
RT_GROUP_ICON      0x584e0  0x4c     LANG_RUSSIAN SUBLANG_RUSSIAN          MS Windows icon resource - 5 icons, 16x16, 16-colors
RT_VERSION         0x53400  0x2c0    LANG_RUSSIAN SUBLANG_RUSSIAN          data

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy    
--------------------------------------------------------------------------------
.text      0x1000       0xee6        0x1000       5.764246   
.rdata     0x2000       0x49ce2      0x4a000      5.440947   
.data      0x4c000      0x619c       0x6000       0.012147    [SUSPICIOUS]
.rsrc      0x53000      0x5530       0x6000       3.693765   

Version info
================================================================================
LegalCopyright: gex Copright   ls soft
InternalName:  jex  MUWEfess dlle
FileVersion: 13, 13, 201, 1241
ProductName:  jox  Weaex Apps
ProductVersion: 13, 13, 21, 153
FileDescription:  jex dllx
OriginalFilename: lexlse.exe
Translation: 0x0419 0x04b0

~~


### Prevention ###

* Check your Skype settings. Only allow contacts to send you messages/files & contact you
* Don't download and run unknown files, especially PE(2) files


### Disinfection ###

* Run a full scan with your installed antivirus product
* Look for suspicious Run keys and delete the associated file(s)
* Run a full scan with another antivirus and/or antimalware product
* Change your Skype password
* Change your proxy to the original one(3) (usually none)
* Change ALL your other passwords
* Call your bank to ensure there was no unauthorized withdrawal or transaction

* When in doubt, seek advise on a professional malware removal forum(4)




### Conclusion ###

* Follow above prevention tips
* Use common sense & do not click on or run anything you encounter
* When in doubt, check the file on VirusTotal for example





# Links #

(1) http://en.wikipedia.org/wiki/Domain_generation_algorithm
(2) http://en.wikipedia.org/wiki/Portable_Executable
(3) http://www.wikihow.com/Change-Proxy-Settings
(4) http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs

Another Skype worm

Remember this post from not too long ago?
Worm spreading through Skype and Messenger

Well, seems this tactic is getting more popular...

A new Skype worm shows you the following message:

this is a very nice photo of you http://bit.ly/10UCanc?fotos=%username% :$
this is a very nice photo of you http://bit.ly/10UCanc?id=%username% :P

Other languages are possible as well, for example Russian:

это очень хорошая фотография вы http://bit.ly/10UCanc?fotos=%username%

When clicking on the link, it gets redirected to a filesharing site and downloads the following file:
facebook_profile.zip

Inside is an EXE file called:
profile-facebook_23052013_img.exe
MD5: 669441b1f5532bdc1a5371112dabc4c8
VirusTotal Result (15/46)
Anubis Result
Malwr Result

When executing the file, you start spreading this message as well to all your Skype friends. There is no icon for the EXE file, which should ring some bells... Actually, the "pictures" being a single EXE file should ring bells so hard the whole neighbourhood wakes up.


Filesharing sites used to spread the malware:
4shared.com
hotfile.com


These filesharing sites have already removed all the malicious files and cannot be downloaded anymore.

Malware files already removed, awesome!

Some interesting stats for the bit.ly link:

Current amount of clicks

Geographic distribution of clicks.

As you can see, there have been over 120,000 clicks today, that's quite a lot!  Also interesting to note is that most clicks are in Belarus, which may indicate where the malware's origin lies (or at least where the infection point started).

As far as I could see, the malware creates a file with a random name in the C:\Programdata or %appdata% folder, injects into explorer.exe and thus is able to 'protect' itself:

When deleting said malware file, it will immediately re-create.

The malware also tries to phone home to (currently offline):

hXXp://r.gigaionjumbie.biz/images/gx.php

hXXp://x.dailyradio.su/images/gx.php

hXXp://w.kei.su/images/gx.php

The above links are related with the Alureon malware, which can download other malware as well as steal your credentials and other personal information. Microsoft:
Win32/Alureon is a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. It may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer. Source.

There are also some peculiar strings in the malware:

lTaj13zzz5632jetsusjabs 

Regrey8hiaid958562ids  

Culmbusy4teg217jo548 

Sel35scagalawn9ser84996  

Hinog968begs6421879  

Cyme28ilkax65274sunn35  

Toph8toil2528248030  

Pent8cute812  

hoorney milk  

DESTRUCT COMMON 

Not sure what those strings are supposed to mean, if there's any meaning to it at all.
To view all strings pulled from the malware image, check Pastebin:
http://pastebin.com/Svb40p9Q



Desinfection

• Perform a full scan with your installed antivirus ànd a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this worm.
• Change your Skype password.
• Notify your friends that you had sent them a malware link.

Conclusion

This conclusion is pretty much the same as in my previous post about a Skype worm:


Worms spreading through Facebook, Twitter as well as IRC, MSN and Skype is nothing new. Still, it appears to be very successful as human curiosity wins in cases of doubt:
"Do I really have (embarassing) pictures of myself on this website? Better take a look!"

No, no, no!

Never click on unknown links, especially when a URL shortener service like bit.ly is used. (others are for example t.co, goog.gl, tinyurl, etc.)
Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.

Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and no pictures are shown, but just an EXE file.

For checking what is really behind a short URL, you can use:
http://getlinkinfo.com/
http://longurl.org/

For checking whether a file is malicious or not:
https://www.virustotal.com/

Worm spreading through Skype and Messenger

Since Saturday, there's a worm actively spreading through (mainly) Skype as well as Messenger (Windows Messenger, Microsoft MSN Messenger).

Someone who's infected with this worm will send you the following message:

Message in German asking to check your cool pictures

The link refers to goo.gl and is actually Google's URL Shortener service. You'll land on Hotfile.com, which is a legitimate file sharing website. (it's not the first time Hotfile has been used to spread malware, read more here. The file has already been removed by Hotfile.)

Links refers to Hotfile and will immediately download a ZIP file.

 
Positive thing is that it is a ZIP file and not an EXE. This means the user still has to manually unpack and run the malware. Inside our ZIP file we'll find the following file, which is covered as a Skype setup file:

Looks like the real deal. But it's not.

When executing this file, another file (a random 4 character EXE) will be dropped to the %appdata% folder of the currently logged on user:

The icon suggests it's uTorrent. But it's not.

This file will try to connect to api.wipmania.com, waiting for instructions. Additionally, it tries to connect to the following IP addresses:

74.208.112.178 - IPVoid Result
87.106.98.157 - IPVoid Result
199.15.234.7 - IPVoid Result
213.165.71.142 - IPVoid Result
213.165.71.153 - IPVoid Result
217.160.108.147 - IPVoid Result

Now, how do we know how it spreads and which messages it can display? The file extracted from the ZIP archive - skype_05102012_image.exe looks for the following processes:
msnmsgr.exe
msmsgs.exe
skype.exe

It will then automatically send a message, based on the OS language. It uses the following list to spread:
tas ir jusu jauna profila bildes?
seo do grianghraf prl nua?
ont uusi profiilikuva?
nai aft a fotografa profl sas?
sa kvo profili lusankary aquesta
s la teva nova foto de perfil?
hey ito sa iyong larawan sa profile?
hey lanh tieu cua ban?
hey ini foto profil?
hei zhni de gn zilio zhopin ma?
ni phaph porfil khxng khun?
hej er det din nye profil billede?
hej je to vasa nova slika profila?
hej je to tvuj nov obr zek profilu?
hei er dette din nye profil bilde?
hey la tua immagine del profilo nuovo?
hej to jest twj nowy obraz profil?
hej jeli ovo vasa nova profil skila?
hey bu yeni profil pic?
hej detta är din nya profilbild?
tung, cka paske lyp ti nket fotografi?
moin , kaum zu glauben was für schöne fotos von dir auf deinem profil
hey is dit je nieuwe profielfoto?
ez az j profil ksta tu foto de perfil nuevo?
hey essa sua foto de perfil? rsrsrsrsrsrsrs
hey c'est votre nouvelle photo de profil?
hoi schoni fotis hesch du uf dim profil ppe n
lol is this your new profile pic?


It will then add the link and subsequently adds your username after the equals '=' sign :
http://goo.gl/QYV5H?img=


Let's take a closer look at the files:

skype_05102012_image.exe
Result: 23/44
MD5: 98f74b530d4ebf6850c4bc193c558a98
Anubis Report
Malwr Report
ThreatExper Report


36A9.exe
Result: 16/44
MD5: 0d4b7f4c1731c91dff56afce0ecf37c5
Anubis Report
Malwr Report
ThreatExpert Report


The malware is commonly identified as Worm.Dorkbot and Worm.Agent or Generic Trojan.

Microsoft provides a description:
Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.

On my testmachines there was no additional malware downloaded, even after replicating a few times. Several variants of malware can however always be downloaded, whether it's ransomware, rogueware....



Conclusion

Worms spreading through Facebook, Twitter as well as IRC, MSN and Skype is nothing new. Still, it appears to be very successful as human curiosity wins in cases of doubt:
"Do I really have (embarassing) pictures of myself on this website? Better take a look!"

No, no, no!

Never click on unknown links, especially when a URL shortener service like goo.gl is used. (others are for example t.co, bit.ly, tinyurl, etc.)
Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.

Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and no pictures are shown, but just an EXE file.

For checking what is really behind a short URL, you can use:
http://getlinkinfo.com/
http://longurl.org/

For checking whether a file is malicious or not:
https://www.virustotal.com/
http://virusscan.jotti.org/

Skype

Skype is proprietary VOIP service software which is initially made by Niklas Zennstrom and Juns friis in 2003 and holed by Microsoft since 2011. Skype is such kind of application software which is used for talking other people on their PC or Mobile phone. You be capable of call without charge all over the world by this application software. Skype is a fashionable and dependable VOIP (voice over internet protocol) software.. It is allows you to call and talk to other skype clients with video call through the online. With skype you will be capable of arrange your dissimilar associates in a easy and flashy way. In addition, it makes it to achievable to add picture of the dissimilar people who are part of your contact list and to introduce outlook in sequence surrounded by other particulars. This application is like as ooVoo, Nimbuzz, Google talk and Facebook messenger. 

In addition, it doesn’t just work only for windows; skype is also for Mac OS X and Linux by computer with a inhabitant look and sense for every stage. Even you will be capable of complete video meeting talk, to send textbook messages, to apply emotions, to take into custody video explosions and to send currency by paypal.  Skype has a sociable boundary what’s helps to create call on one more. Additionally, it has call transferee, speedy fitter, catalog of only just used records and usual call back. Above all, Skype is the best software to communiqué with your friends and home based people  with video without charge.

If you want to download click here…….