Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Interesting SKYPE SPIM. - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Interesting SKYPE SPIM.

Earlier this week Jared sent us an interesting SKYPE spim. I suspect this was sent using the Skype IMbot discussed in the previous diary.
This one was a social engineering attempt to get the recipient to load scareware or fakeAV. Like most of these sites it had some java that is intended to simulate an antivirus scan. The scan is free of course. Everyone that gets "scanned" by this junk is infected. Getting cleaned of your viruses costs since you have to buy the commercial version to "clean" your infection. They have nice little functions like "hideActiveXDialog" and a doUpdatePercents which simply counts off tics to make it appear they are scanning the system. Then they throw up a banner2.jpg which is a warning that you have a bunch of scarey viruses including "System Soap Pro", AntiLamer Light, MC 30 day, SoftEther, I-Worm.NetSky.q, I-Worm.Bagle.n, Tofger-A, Zinx-A, B-S Spy 1.90 and KrAIMer 1.1"

Some of those names are known malware others appear to have been made up to insult anyone that gets this message. Who came up with System Soap, AntiLamer, SoftEther or BS spy. Here is the text that was sent out to entice victims to pay for this LAME fake AV.

WINDOWS REQUIRES IMMEDIATE ATTENTION
URGENT SYSTEM SCAN NOTIFICATION ! PLEASE READ CAREFULLY !!

hxxp://www.onlineck.org

For the link to become active, please click on 'Add to
contacts' skype button or type it in manually into your web browser !

FULL DETAILS OF SCAN RESULT BELOW
****************************************

WINDOWS REQUIRES IMMEDIATE ATTENTION

ATTENTION ! Security Center has detected
malware on your computer !

Affected Software:

Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns
 
Recommendation: Users running vulnerable version should
install a repair utility immediately

Your system IS affected, download the patch from the address below !
Failure to do so may result in severe computer malfunction.

http://www.onlineck.org/
 
For the link to become active, please click on 'Add to
contacts' skype button or type it in manually into your web browser!”


 

donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!