Rootkit-based Skype worm opens backdoors

While both Yahoo! Messenger and MSN Messenger have been massively exploited by IM worms, Skype users have been less exposed to this type of e-threat. It’s true that hyperlink-sending worms are hardly news in the current malware landscape, and multiple variants affecting various IM services are in the wild, but most of them are extremely easy to remove and don’t come with an additional method of protection. Unlike average IM worms, Backdoor.Tofsee features an extensive set of tricks to deter detection and removal, as well as a wide assortment of ways to harm both the user and their computer.

The worm relies on social engineering to lure the user into downloading and executing a copy of itself on the local machine. It looks for the system locale settings (country, language and currency) in order to determine which language to send its messages in. It can use English, Spanish, Italian, Dutch, German, and French to send itself to either Skype or Yahoo! Messenger contacts. The alleged conversations will always be different from the previous messages and will be constantly updated from a remote location.

Plus, in order to avoid suspicion, the worm will only send the message during an on-going conversation, rather than randomly starting one-link monologues. As the unwary user clicks on the infected link, they will be redirected to a spoofed page impersonating Rapidshare. If the user continues the download process by clicking the alleged Rapidshare download link, they get a zipped archive called NewPhoto024.JPG.zip. Upon extraction, the archive reveals an executable file with a deceptive name: NewPhoto024.JPG_www.tinyfilehost.com. The file looks like a JPG, followed by an URL.

However, trailing .com is actually the file format revealing an MS-DOS executable application. Once executed, the infected binary queries the Windows Registry to see if either Skype or Yahoo Messenger is installed. If neither application is to be found on the computer, the worm will exit without infecting the system. If they are, the worm ensures that it is not being analyzed in a virtual machine by checking the Performance Counter.

Should the worm detect that it is running in a virtual machine or inside a debugger, it automatically terminates itself, else it creates create a suspended child process and subsequently inject the worm’s decrypted overlay in it. After the successful injection, the child process is resumed and the parent process kills itself.

In order to hide itself from the operating system, the worm deploys its last line of defense: a rootkit driver that conceals files, monitors the global Internet activity originating from the infected machine and prevents access to the URLs associated with antivirus vendors, online scanners, tech support forums and, of course, Windows Update. As a novelty, the worm also denies access to a certain number of high-profile download portals that might host removal tools or antivirus utilities.

After having successfully compromised the system, the worm adds itself to the Startup key in the Windows Registry; it also deactivates the Windows Firewall in order to breach the local security and to allow a remote attacker to connect to the worm’s backdoor component. To make things worse, the rootkit component also prevents the installation of any file known to be an antivirus product. Backdoor.Tofsee identifies these files by their filename, so renaming the blocked file should solve the issue.

The worm’s spreading mechanism isn’t reduced to spamming itself via Skype and YIM; it also copies itself on any attached USB storage devices it finds by replicating its binary in a newly-created folder called ~secure and creating an autorun.inf file to point to it. A secondary folder, called Temp002 is also generated and a binary file infected with Trojan.Vaklik.AY is planted inside it. All the created files have the archive, hidden and system attributes set to 1 in order to conceal them from the Windows Explorer shell.

Backdoor.Tofsee is a high-risk piece of malware that allows a remote attacker to take complete control over the infected machine and use it for various illegal purposes. In order to stay safe, you are advised to install and regularly update a complete antimalware solution with antispam, antiphishing, antivirus and firewall modules.

Author: Bogdan Botezatu, BitDefender.

Don't miss