Skype 'Worm' Overrated, Says Websense

Websense has reclassified the threat as a Trojan horse and says its impact is declining.

Gregg Keizer, Contributor

December 19, 2006

2 Min Read
InformationWeek logo in a gray background | InformationWeek

Malware spreading on the Skype VoIP network raised alarms Tuesday, with some reports claiming that a worm was on the loose. The threat, however, is actually low, a security analyst says.

Warnings late Monday and very early Tuesday claimed that a worm was propagating across Skype -- one of the most popular voice-over-IP applications -- and infecting systems with a password-stealing Trojan horse. Tuesday, for example, Symantec issued an alert to customers of its DeepSight threat management service that a worm it dubbed "Chatosky" was spreading in the Asia Pacific region, including South Korea.

"The code isn't a worm," says Dan Hubbard, VP of research at security vendor Websense. "It relies on the end user to acknowledge a binary through the API, which is normal behavior in Skype." In addition, the threat does not make copies of itself.

"It's not exploiting a vulnerability," adds Hubbard.

Websense was among the first to post an alert about a possible Skype worm. However, after talking with the Skype security team, which is based in Estonia, Hubbard says he had reclassified the threat as a Trojan horse. "A user with Skype will get a message to download a program from a URL included in a chat message," says Hubbard. "If they click on that, a program runs in the background, then injects itself into the Explorer process. It looks like the Trojan is designed to grab forms and passwords from the browser."

Another file -- the Skype binary that the user is prompted to accept -- accesses the VoIP application, then harvests any online Skype contacts and transmits those names to a remote server.

Although Skype is best known as a telephone-style service, it uses an instant messaging-like contact list for easier calling, and includes a chat function for text messaging. The Trojan, in fact, is applying the same attack techniques commonly used in instant messaging attacks.

The servers the attacker used to download malicious code to infected computers are now down, Hubbard confirms.

"The one thing that's unusual here is its use of a public API," says Hubbard. The two-part API allows Skype to connect to USB devices, such as VoIP phones, and lets third-party applications access some of Skype's functions, such as making a call.

"This is either spreading very slowly, and only regionally, or it's dead by now," Hubbard says.

About the Author

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights