For the past week, we've received a lot of reports of a worm that propagates through Skype known as Dorkbot. This is probably nothing new for most of you -but still it pays to be aware. Anyway, I got hold of a sample and took a closer look. The worm usually arrives as a link from a friend's Skype instant message telling you how funny your profile pics are.
Clicking the link, prompts the user to download a file hosted at Sendspace.com:
For the sake of science, we extracted the zip file and run it in our test environment, and of course, as we suspected this was the Skype worm itself. During testing we left Skype with fake user ID running in the background.
When run, the malware first obtained our infected host's IP address and location by cleverly querying it from a free GeoIP web service, Wipmania.com. It then sends this data back to one of the following control servers on port 1863:
- 217.160.108.147
- 176.9.192.131
- 87.255.51.229 <- now sinkholed by abuse.ch
It then downloads additional malware hosted at Hotfile.com. I have also seen reports of ransomware downloaded and installed on the infected system:
A
Not long after it downloaded the additional malware, it started spamming our Skype contacts with the same message that we got.
There are also other serious payloads for this malware: it also steals user credentials from various websites (as you can see in the screenshot below, those are the strings that the malware monitors). The malware is also capable of propagating through MSN and USB flash drives.
As always, be wary of whatever link has been sent to you and avoid clicking it if you are not sure of what it is. Trustwave SWG customers are protected against this threat.
