Followup and analysis on the Skype Work reported on 9 October

Back on 9 October, I reported on a worm that was spreading (primarily) via Skype.  Today, I found a good write-up on the worm, how it spread and a very important component to it’s success (user action required).  The story is available here and was carried by Packet Storm Security (lends a lot of credibility).  I’ll spare you all of the details (available in the article) but some important things to take from it are:

  • It was spreading via Skype initially but later was found to also be using the Instant Messenger networks.  Skype quickly acknowledged the problem and released a statement on their website.
  • It was spreading via a link, requiring that users click on the link.  Even though the link a) was to a valid URL shortening service (Google) and was a link to a legitimate file sharing service (hotfile.com), a user who verified that the reported sender actually sent the message would have been alerted to the potential problem and able to avoid it.  
  • The malware was being hosted by a legitimate file sharing site (hotfile.com) and the link was to a legitimate URL shortner (goo.gl).  I touched on this above but it’s worth noting again.  The old ways of ‘just blacklist / block known bad places’ is no longer a sure fire tool.  These are legitimate services being abused for other-than-legitimate uses.  At the end of the day here, an educated [computer / network] user is the last and best line of defense.
  • Once the user downloaded the .zip file, they had to unzip it in order for it to ‘do’ anything (e.g., infect them).  A couple of things to note here.  First, if you’ve got gateway security deployed that’s doing deep-packet-inspection, this *may* have saved you.  The fact that this was a .zip file and not a .exe file gives it a better shot at making it past gateway security and antivirus (by the time that you get it, hopefully your antivirus has been updated to catch it).  Second, this again falls to that last (and best or worst) line of defense, the user.  If you get a file from someone that you weren’t expecting, *confirm it*.  If they didn’t send it, you don’t need / want to open it.
  • The malware attempted to connect to a single URL (api.wipmania.com) for further instruction.  This would be an after-the-fact opportunity but adding the URL (and the IP’s that it’s resolving to) after-the fact would save you from reinfection.  Again, after the fact, but worth noting.  Dropping the reputation of these IP addresses and domains in your IDS would also be a good move, at least short to mid-term.

There’s a lot of info here but, if you’re responsible for managing a network (or even your home computer), hopefully some of the information above will help you keep things safe.