The security industry was recently abuzz with the discovery of a worm supposedly targeting users of the popular VoIP telephone application Skype.
According to Websense’s Threat Blog, this worm uses Skype’s Chat feature to download and execute a file named sp.exe. The said file, in turn, appears to drop a password-stealing Trojan. The entry further notes that this possible worm is packed using NTKrnl Secure Suite— a relatively rare (if not unknown) compression — and that infection reports originated in the APAC region, specifically Korea.
Two things come to mind in light of this event. One is that despite the fact that this worm’s propagation technique is still… well, common, VoIP as a new malware vector is obviously becoming a good prospect for malicious authors to sink their teeth into. Two, well… again it’s obvious: password-stealing routine, polymorphic compression to avoid easy detection, and a specific country of origin? Sounds like a localized/targeted attack geared — once again— for profit, doesn’t it?
The (sort of) good news is that no widespread outbreak has been reported yet. That doesn’t mean that Skype users should just go ahead and click the links they receive while chatting, though.
Trend Micro currently detects the malware’s password-stealing component as TSPY_SKPE.A. Keep posted for updates.