English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

An avalanche in Skype

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted April 04, 14:40  GMT
Tags: Botnets, Social Engineering, Skype
0.4
 

There is a new malicious ongoing campaign on Skype. Itís active and kicking yet.

The infection vector is via social engineering abusing infected Skype by sending massive messages to the contacts like these ones:

i don't think i will ever sleep again after seeing this photo http://www.goo.gl/XXXXX?image=IMG0540250-JPG
tell me what you think of this picture i edited http://www.goo.gl/XXXXX?image=IMG0540250-JPG

Goo.gl short URL service shows that at the moment there are more than 170k clicks on the malicious URL and only 1 hour ago there were around 160k clicks. It means the campaign is quite active with around 10k clicks per hour or with 2.7 clicks per second!

The most of victims come from Russia and Ukraine:

Between other most probably infected countries are: China, Italy, Bulgaria and Taiwan.
The campaign seems to be active since March 1, at least that day the short Google URL was created, however it got strength in the last hours. This graph shows the number of clicks in the last 2 hours:

So far VirusTotal shows 12 of 46 AV detection rate. Kaspersky AV detects the malicious sample by its cloud technology with the verdict UDS:DangerousObject.Multi.Generic

Now few words about malware itself. Itís written in Visual Basic. The subroutines called with human names like Lenka, Pier, Christiane, Ryann, etc. The next expressions are used as part of the social engineering in Skype:

hahaha
Is this you?
Picture of you?
Tell me what you think of this picture
This is the funniest picture ever!
I cant believe I still have this picture
Someone showed me your picture
Your photo isn't really that great
I love your picture!
What do you think of my new hair?
You look so beautiful on this picture
You should take a look at this picture
Take a look at my new picture please
What you think of this picture?
Should I upload this picture on facebook?
Someone told me it's your picture

Malware has capabilities to spread via USB too. Malware uses IRC protocol to interact with the C&C as part of the botnet once itís infected. The string in the sample leading to the VB project file is C:\Users\s\Desktop\Must Use Different Name\HqwKH\avivah.vbp
Finally something interesting is this:


Follow me on twitter @dimitribest

2 comments

Oldest first
Threaded view
 

mark117

2013 Apr 04, 19:50
0
 

avalanche in Skype

Hi Dmitry Bestuzhev

Very Very Intresting Article,

I was just recently reading a couple of the articles here and on the threatpost website,
link below,
http://threatpost.com/en_us/blogs/ddos-attack-database-breach-take-down-two-bitcoin-services-040413

I also noticed that you say that the people who are behind this have used real names in the subroutines that they coded in "VB" Visual Basic,
Do you think that this could be a clue as to who is behind this,
Or
Do you think that the people who have created this virus are relatively new to say programming in VB and that is why they could be using real names for now until they learn of better ways and or ideas as to hide/encrypt there subroutines/modules, Or could the names be a link as to who coded what part of the subroutines within the program.

Could this be possibly part of something bigger thats to come from the people whom have created this.

And finally i have to agree that the image at the bottom is quite intresting in the fact that they seem to be going after the BitCoin wallets,
I am going to be totally honest,
I dont really know that much about BitCoin and there wallets and how they work,
But judging by the entries in the last image, it could be really worrying for people to read about this who have a BitCoin wallet on there DeskTop or Mobile Phone...

Again Thank You for great article
mark117

P.S.
"VT" Virus Total link below,
The detections are gradually going up as more and more AV's vendors add the signatures to their databases
14 as of now 16:44 04-04-2013
https://www.virustotal.com/en/file/33c2bbb2d46f7aeb3752fccaf7a418 174c11530cf052f94c27e45a0cfa90 6e96/analysis/

P.P.S.

Look forwards to any follow up code and or images to do with this subject...
peace and respect
mark117

Reply    

AntivirusK

2013 Jun 10, 12:50
0
 

Free Antivirus

Run free antivirus from http://www.ultymatum.uv.ro

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog