Skype IM Falls Victim to Trojan Attack

WebSense on Monday identified a Trojan horse that targets Skype IM users in what marks the latest in a series of instant messaging attacks this year.

The security researcher first reported the attack as a self-propagating worm called "sp.exe." After a full day of investigation in cooperation with Skype and its parent company eBay (Nasdaq: EBAY), WebSense issued an update saying it was a Trojan horse.

Trojan horses are programs that appear harmless, or even helpful, but harbor malicious code used to collect or destroy data.

"What's unique about this Trojan horse is that it uses Skype as its vehicle for propagation," Dan Hubbard, vice president of security research at WebSense, told TechNewsWorld. "But this is not dissimilar to Trojans that have attacked other messaging platforms in the past, like ICQ and Microsoft (Nasdaq: MSFT) Messenger."

Social Engineering 101

The Trojan horse uses the Skype application programming interface (API) to do its dirty work. The end-user who is running Skype receives a message suggesting a file download. Clicking on the link initiates download of the Trojan horse.

Security researchers describe the tactic as social engineering, because it demands interaction from the end-user to spread itself. Social engineering scams typically involve clever schemes that convince users to participate, offering free information or breaking news.

Instant messaging is an attractive platform for malicious users because it works. This time last year, cyber attackers enjoyed success with a holiday-themed worm attack that delivered its malicious payload to IM users of AOL, MSN, Windows Messenger, ICQ and Yahoo.

"We don't believe this new Trojan is very widespread, but this attack can cause damage," Hubbard warned. "The Trojan includes some processes that allow attackers to inject into the explorer process, which usually is used for things like password stealing within forms at eBay and PayPal and other types of sites."

Money Motives

Like a growing number of Internet attacks today, security experts say social engineering-based attacks have one motive: money. Since security technologies are blocking out e-mail borne worms and viruses, attackers are turning to browsers and IM platforms to deliver their nasty payloads.

IM presents a unique opportunity for hackers just based on its sheer growth. Enterprise IM will grow from 40 million users today to more than 140 million by 2009, IDC estimates, which makes IM the fastest-growing communications medium of all time.

Because IM operates in real time, attacks that leverage social networking to spread can be highly destructive and costly to a corporate infrastructure.

Worms were the preferred type of malicious code on all three large IM networks in the second half of 2005, representing 91 percent of IM-related malicious code during that period, according to the most recent Symantec (Nasdaq: SYMC) Internet Security Threat Report.

Highly Targeted Attacks

More than 2,400 unique IM and peer-to-peer (P2P) threats were identified in 2005, other research indicates. That amounts to a staggering 1,700 percent increase from the previous year.

The vast majority of those threats were URL-based worms. However, the rise of IM-based phishing attacks, as well as the emergence of other sophisticated malware, complicates IM's risk profile.

"Increasingly, threats are converging across e-mail, Web and IM," Mark Sunner, chief security analyst for MessageLabs, told TechNewsWorld. "Highly targeted Trojan attacks, specifically designed to steal intellectual property from businesses and organizations, increased from one a week to one a day this year."