Skype Users Are Targeted by Malware (Again)

Another difficult time for Skype users. Recently, a malware was found targeting Skype users. This malware, known as T9000, captures the victim’s screenshots and his whole conversation. But, there is one unique thing about this malware. Instead of targeting all Skype users, its target is specific. Automotive industry, human right activists, and governments are the only known targets. Moreover, all targets share one thing in common. They are all in Asia Pacific region. This is when we call it ‘weird.’

The malware was first spotted by Palo Alto Networks security researchers. The attackers hide the malware inside an RTF attachment. Even if the security system recognizes the email as malicious, it will end as a common phishing attempt. The real threat is still hidden deep down there. It waits for the time to get into the system. Once in, all Skype users will be users, malware, t9000, vpn, asia, vpn asia

Compare to its predecessor, T9000 has a much complex structure. It exists to avoid detection. Before installing itself, it scans your system for security system. It can recognize the following security products:

  • Sophos
  • Baidu
  • Gdata
  • INCAInternet
  • Comodo
  • DoctorWeb
  • AVG
  • TrustPortAntivirus
  • VirusChaser
  • BitDefender
  • Panda
  • Trend Micro
  • McAfee
  • Norton
  • Kingsoft
  • Filseclab
  • Micropoint
  • JiangMin
  • AhnLab
  • Avira
  • Tencent
  • Rising
  • Kaspersky
  • Qihoo 360
  • Any malware analysis tool
(do you realize that VPN is not affected?)

How T9000 Attacks Skype Users

The scanning process will make sure your system is ‘clean.’ Then, the internal verification will proceed. This step prepares everything for the installation process. Once the malware entered your system, it will collect your information. All information will be sent to a C&C server. At this point, using a server is important. The attacker use it not only to store Skype users data, but also distinguish every victim. Without it, it will be difficult to choose the target. Next, the attacker will choose the victims. It can be anyone. Once he came with the name, the server will send instructions based on the victim’s personal information.

To attack Skype users, T9000 use 3 main modules.

  1. tyeu.dat
  2. vnkd.dat
  3. qhnj.dat
The first module spies Skype users’ conversations. Once the attacker executed the module, the following message will appear at the victim’s Skype:
explorer.exe, skype, vpn, asia, vpn asia, malware, t9000If you got this message, be careful. T9000 backdoor has successfully tapped into your Skype API. For your last effort, please don’t allow the access. If you do it, the attacker will get full access to your system. He can spy on you whenever he wants. The end. You will lose your information. The attacker will get all your video, text, and audio chats. The attacker can even take screenshots of your conversation. So, before that happens, make sure you don’t click that button.
I want you to remember one thing. The attacker won’t stop once he attacks Skype users. Getting your conversation and screenshots is not the end. If the attacker can entered your system, all your information is at stake. The second module allows the attacker to steal your files. The attacker can open any folder and take any file. This is why attack on Skype users is very dangerous. Not even your removable storage devices are safe.
The third module, is the beast. It allows C&C server to take control over your system. It can tell the malware to delete, create, and move files as well as directories. It can also encrypt data and copy the victim’s clipboard. Basically, it does our worst nightmare. It owns your system, without ever touching it.

A Strategic Malware Attack

Look at the patterns. Look at how the attacker chooses the victims. This is no ordinary malware attack. Anyone behind this attack on Skype users must be professional. The attacker has gone to great lengths to bring so much damage without being detected. Also, the target is specific. It looks like this malware is specially crafted for specific purpose. The targets are not just random people. The attacker is targeting organizations. Do you know how much personal information they keep in their offices? Now, imagine someone got that information. It will be pretty bad, huh?
Luckily, T9000 is still traceable. Windows Defender is the best way for this. It can identify and quarantine the malware. Therefore, protecting Skype users from the attack.
In an email sent to Fossbytes, Microsoft told:
“To further protect our customers, we’ve added detection for the malicious software known as ‘T9000’ to Windows Defender. Customers that have installed security updates released in 2012 (MS12-060) and 2014 (MS14-033), either manually or by enabling automatic updates, will already be protected. Our recommendation is to enable automatic updates, which installs the latest security protections, and use the latest version of Skype.”
Here is a nice conclusion I learn. Traditional way always works. If you want to avoid something, just remember to update your app. That’s how it works.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>