Because of their popularity and large adoption by users worldwide, applications such as Skype and Facebook are targeted by malware authors quite often. This article is dedicated to Skype malware, often referred to as simply “Skype virus”. Keep in mind that Skype virus is a generic name for all types of Skype-related malware.
|Short Description||Skype Virus is a generic name for various malware threats that are delivered over Skype.|
|Symptoms||The user may be affected by a malicious ad served over Skype, his account may be hijacked, etc.|
|Distribution Method||Malicious links and ads sent via Skype, pages hosting malware|
|Detection Tool|| See If Your System Has Been Affected by Skype Virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Skype Virus.|
Depending on the purpose of attackers, some Skype viruses are targeting user accounts and hijacking them, and others are using the application to infiltrate the operating system. Continue reading to learn more about the various types of Skype viruses and how to remove them, or better – evade infection.
Goo.gl Skype Virus: Technical Overview
One of the most common Skype viruses is the so-called Goo.gl Skype virus. It is also one of the oldest pieces of such malware. As it turns out, the malicious campaigns that deliver goo(.)gl spamming URLs in Skype are still active.
Users on various forums report to receive strange messages from their Skype friends. The messages usually contain pictures and shortened goo(.)gl links. When clicked, these spamming URLs land on suspicious web pages that offer a download of a malicious file. Once such data is saved on the system, it may cause severe malware infections or serve as a gateway for further threats. Users are highly advised not to interact with these links.
In case you have clicked on such a compromised link, it is a good idea to run a scan with an advanced anti-malware tool as the malware may have sneaked into the system.
Goo.gl Skype Virus: Distribution Methods
This Skype virus relies on some clever distribution techniques. Initially, the malware was distributed via a web link using goo(.)gl services, such as the following one, along with a luring message:
[skype.user]: haha you wouldn’t believe it http://goo(.)gl/lLGdM?foto=user
The web link then redirects to a 4shared, hotfile or other file-sharing services:
Then, the link may download a .Zip or another type of file containing the same malware. Symantec researchers have reported two main malware pieces associated with this Skype virus:
After one of the above malicious bots has been downloaded and activated on the compromised computer, it would immediately connect to a C&C (Command and Control) server. After connecting to the server, the malware may download other malware types such as:
- Spam Bots;
- Botnet kits.
It should also be noted that attacks of this character use obfuscators so that the malware remains undetected for longer times on infected computers. Attackers are typically using reputable services to spread malicious files and using affected users to spread spam messages to people in their contact list on Skype.
Skype.exe Virus: Technical Overview
Malware is known to use legitimate files that belong to legitimate programs. Such is the case with the Skype.exe virus. According to Hybrid Analysis, the malicious file is able to read terminal service related keys that may be RDP related. It also acts as spyware, being able to access sensitive information from local browsers, open the clipboard and retrieve keyboard strokes.
Here is a resume of its malicious capabilities:
- Modifying auto-execute functionality by setting/creating a value in the registry;
- Reading the active computer name;
- Reading the cryptographic machine GUID;
- Possibly capable of evading analysis by sleeping many times;
- Opening the MountPointManager (often used to detect additional infection locations);
- Contacting 2 domains and 2 hosts;
- Modifying of Proxy settings.
It should be noted that the Skype.exe file actually belongs to Microsoft. However, the file which was uploaded to Hybrid Analysis appears to have been modified by an unpaid evaluation copy of Resource Tuner 2. It is a tool for disassembling .exe and .dll files.
Malicious Ads Served Over Skype
Skype has been abused to serve malicious ads not once or twice. Last year, users reported that ads served through the application were serving malicious downloads that were leading to a ransomware infection. The ads triggered a download of an HTML application which was designed to look like a legitimate app. Upon opening the ad would download a malicious payload, a piece of ransomware, which would then encrypt the user’s files.
Severe Security Flaws in Skype
There have been a number of serious security vulnerabilities in Skype which increase the vulnerability of the operating system and may lead to malware and spyware infections. Such a severe security flaw was discovered in February 2018. The severe could could allow attackers to obtain full access to the compromised host. This would happen through gaining system-level privileges to a local user with no privileges. The flaw was discovered by security researcher Stefan Kanthak who reported it to Microsoft. The flaw resides in Skype’s update installer found to be vulnerable to DLL hijacking.
The severity of the DLL hijacking vulnerability, however, is not the only issue here. Apparently, Microsoft, the owner of Skype, isn’t planning on fixing the flaw any time soon. The reason is not because the flaw can’t be patched. It’s because patching it would require the software to be entirely re-written. What does this mean? Instead of simply releasing a patch, Microsoft would have to release a brand new version of the messenger.
The attack leveraging the Skype DLL hijacking flaw can happen using a range of DLL files with various loading processes. The worst part is that no trails are left in both the registry and file system indicating that an incorrect DLL had been previously loaded.
In case of a successful hijacking of the update process, the attacker would download and place the maliciously crafted DLL into a temporary folder. When Skype’s update installer attempts to locate the relevant DLL, it will locate the malicious one instead, and will install the maliciously crafted code.
Even though Kanthak, the researcher who reported the flaw, tested the attack on the Windows desktop version of Skype, he believes that the same DLL hijacking technique could be used against other operating systems like Linux and macOS. It should be noted that the exploit of the flaw works on the desktop version of Skype.
Skype Virus: How to Remove It from the System
If you believe that your system was affected by a Skype virus, you can refer to the instructions provided below.
In case of the Goo.gl Skype virus, you should consider disconnecting your computer from the internet while scanning, since this will break any active connection with attackers’ C&C servers.
Note! Your computer system may be affected by Skype Virus and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Skype Virus.