Earlier this month, users had started facing problems with ransomware on Skype through a seemingly harmless looking message: "lol is this your new profile pic?" The message was followed by a link that downloads malware into user's computers. According to Trend Micro, these reports have not stopped and are now spreading fast.
The link, which includes the user name of the recipient, goes to a file hosted at a legitimate file locker service. The file downloaded is a variant of the Dorkbot malware family, which is detected as WORM_DORKBOT.DN. This malware allows an attacker to take complete control of the user’s system. Its capabilities include password theft form various websites, including pornographic sites, social media, file lockers, and financial services; and launching distributed denial-of-service (DDOS) attacks. The behaviour that a user may see can vary significantly. It also has the capability to download other malware depending on the link provided by the C and C servers, including ransomware and click fraud malware.
Skype users are facing message spam containing malware
To spread via Skype, it downloads a separate component detected as WORM_DORKBOT.IF. This component sends the same message to people in the user’s contact list, restarting the cycle all over again. WORM_DORKBOT.IF checks the system locale and sends the message "lol is this your new profile pic?" in a language that depends on the user’s geolocation.
As Countermeasures Blog reported, Trend Micro has detected and blocked over 2,800 associated files in a span of 24 hours.
The security company is currently monitoring this threat, and will update its blog with more details as they become available. The number of blocked and detected files associated with this attack has increased. From 2,800 files recorded on October 9, the total number of blocked and detected files is now at 6,800. Trend Micro product users are actively protected from Dorkbot malware used in these attacks.
The earlier report highlights that the link been changed on a number of occasions, and the text has also been altered. Although the malware-laden message is currently spreading in English and German, it can be translated into several other languages.
The Next Web adds that although GFI first highlighted the issue on Friday, it has only been confirmed now that users are indeed being targeted using click fraud and ransomware.
In addition to ransomware, the message has been found to indulge click fraud. Giving an insight into this, the report adds that in the span of 10 minutes, GFI recorded 2,259 transmissions.
In his statement to The Next Web, a Skype spokesperson shared, “Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable”.