Home / mailings WSLabs, Malicious Code: Business Skype Phishing Malware
Posted on 29 October 2007
Websense Security LabWebsense® Security Labs(TM) has discovered a new Trojan Horse / DNS redirector being distributed via email with URL lures. The email message is written in Spanish and presented in HTML. It attempts to lure users click on a link in order to download the business version of Skype.
If users click on the URL, they are directed to a site hosted on the Spanish version of Lycos. The site was up at the time of the alert. The site contains no exploit code, but has a Trojan Horse with the filename "skype.exe" with an MD5 of <80c954716eb2525b634a515ec785f03b>.
When the file runs, it modifies the Windows host file, and opens Internet Explorer to the Spanish version of the Skype Business Version download page. The modification the malware makes to the host file redirects visitors from www.banamex.com to a phishing website. At the time of testing, the file was not detected by anti-virus software.
Email roughly translates to:
===================================
Skype for Windows: Business Version (with MSI)
This is a new version of Skype for business. It has same features as the standard version, but also includes Windows Installer (commonly known as MSI).
Use Skype Pro to transfer calls to Skype contacts, mobile phones, or ordinary phones, free of charge.
Business-friendly features:
* Includes Windows Installer (commonly known as MSI).
* Increased security for business users.
* Easy deployment to multiple machines in your company.
* More control for IT administrators.
===================================
For additional details and information on how to detect and prevent this type of attack:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=811
