Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


October 11th, 2012

Avast Virus Lab analysis of Dorkbot with Skype hijacker

Earlier this week, a new variant of the Dorkbot/Ruskill malware attacked users of the Skype video calling service. This malware can affect a huge amount of sites and online services and can attack almost all known web browsers such as Internet Explorer, Firefox, Chrome, Opera, Flock and other programs such as MSN, wlcomm.exe etc.

The avast! VirusLab analyzed this malware, which you can read about in articles published on the web, but none analyzed the new module that can hijack Skype messenger which is now the bigger threat to users. This module has a packed form around 70KB. After the removal of the custom packer / loader the pure size is 16 384b. The module is very small but includes 31 known language versions of phishing messages that appear in the Skype messenger window. This localization is based on OS language via GetLocaleInfo API. After bypass return value you can see different language mutations.

Phishing messages in various languages

Sample of phishing messages in various languages:

  • lol is this your new profile pic?
  • hey é essa sua foto de perfil? rsrsrsrsrsrsrs
  • hej je to vasa nova slika profila?
  • hey c’est votre nouvelle photo de profil?
  • ?hey esta es tu nueva foto de perfil?
  • hey ini foto profil?
  • hei er dette din nye profil bilde?
  • hej to jest twój nowy obraz profil?
  • hey ito sa iyong larawan sa profile?
  • ?aquesta és la teva nova foto de perfil?
  • hej detta är din nya profilbild?
  • hej jeli ovo vasa nova profil skila?
  • hey la anh tieucua ban?
  • sa k’vo profili lusankary
  • hey e la tua immagine del profilo nuovo?
  • tas ir jusu jauna profila bildes?
  • moin, kaum zu glauben was für schöne fotos von dir auf deinem profil
  • hei zhe shi ni de gerén ziliao zhaopian ma?
  • hey bu yeni profil pic?
  • ni phaph porfil khxng khun?
  • hej er det din nye profil billede?
  • hoi schöni fotis hesch du uf dim profil öppe nöd?
  • hé ez az új profil kép?
  • on tämä uusi profiilikuva?
  • eínai aftí i néa fotografía profíl sas?
  • hej je to tvuj nový obrázek profilu?
  • hey is dit je nieuwe profielfoto?
  • tung, cka paske lyp ti nket fotografi?

Arabic (html/js form):

سؤالٴيصورڢك؟

\u0633\u0624\u0627\u0644\u0674\u064A\u0635\u0648\u0631\u06A2\u0643\u061F

Russian (html/js form):

это новый аватар вашего профего ))

\u044D\u0442\u043E \u043D\u043E\u0432\u044B\u0439 \u0430\u0432\u0430\u0442\u0430\u0440 \u0432\u0430\u0448\u0435\u0433\u043E \u043F\u0440\u043E\u0444\u0435\u0433\u043E ))

Japanese (html/js form):

ちょっとこれはあなたの新しいプロフィールの写真ですか?

\u3061\u3087\u3063\u3068\u3053\u308C\u306F\u3042\u306A\u305F\u306E\u65B0\u3057\u3044\u30D7\u30ED\u30D5\u30A3\u30FC\u30EB\u306E\u5199\u771F\u3067\u3059\u304B\uFF1F

In addition, we found these crypted strings:

{D8E33D0B-0106-46E7-AD6D-215A1797C7CE} create significant mutex
skype.exe, msnmsgr.exe, msmsgs.exe find process
TcomunicatorForm, tSkMainForm.UnicodeClass, TZapCommunicator access Skype via SendInput API
http://goo.gl/f8p21?profile=echo123 infected hardcoded url appended to fake message

Communication with the C&C server uses  the following protocols: TCP, IRC, MSNMS, X-MMS-IM, information about geolocation of infected computer via api.wipmania.com.

How Dorkbot malware hijacks Skype messenger

If you click on the link, your infected computer becomes part of a botnet, or a network of computers controlled by hackers to execute DDoS (distributed denial of service) attacks. A DDoS attack causes the site or service to be temporarily unavailable by flooding the targeted website with traffic until the site’s servers are overloaded.

The Dorkbot malware spreads itself by contacting your Skype contacts with the same “new profile pic” message. The variants can also distribute other types of malware such as Ransomware/LockScreen, and steal user name and password credentials for a vast array of websites including Facebook, Twitter, Google, GoDaddy, PayPal, NetFlix and others.  In a deeper analysis, the avast! Virus Lab found a funny anti-debug trick using User32.BlockInput(BlockIt=TRUE), which disables mouse and keyboard input during the debugging. Other features of this malware are keyloggers, FTP/HTTP/POP3 hijack / logger, SlowLoris and UDP flooding, html / iframe injector, dns changer, sock proxy, USB infection, ftp infection, lsass.exe/explorer.exe/winlogon.exe injector, remote access and execution, etc.

Phase 1 – Find skype process

kernel32.CreateToolhelp32Snapshot -> kernel32.Process32FirstW -> MSVCRT._wcsicmp -> kernel32.Process32NextW

Phase 2 – Set application access via Skype API

Phase 3 – bypass “Allow access” button (AutoIt style):

User32.Findwindow(TCommunicatorForm) -> User32.Findwindow(tSkMainForm.UnicodeClass) -> User32.Findwindow(TZapCommunicator) -> user32.ShowWindow(SW_NORMAL) -> USER32.SetFocus -> USER32.PostMessageW ->USER32.SendInput(VK_TAB > WM_KEYDOWN > VK_TAB > WM_KEYDOWN > VK_RETURN > WM_KEYDOWN)

Phase 4 – send fake message with infected URL to messenger via Skype API

Decrypted Dorkbot malware

Here is a list from decrypted Dorkbot malware

*iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*clave=*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

*dotster.com/*login*

*enom.com/login*

*1and1.com/xml/config*

*moniker.com/*Login*

*namecheap.com/*login*

*godaddy.com/login*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

*netload.in/index*

*freakshare.com/login*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*twitter.com/sessions

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*dyndns*/account*

*no-ip*/login*

*steampowered*/login*

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

*login.live.*/*post.srf*

*TextfieldPassword=*

*gmx.*/*FormLogin*

*fastmail.*/mail/*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

*aol.*/*login.psp*

*service=youtube*

*google.*/*ServiceLoginAuth*

*paypal.*/webscr?cmd=_login-submit*

*bebo.*/c/home/ajax_post_lifestream_comment

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php*

*vkontakte.ru/mail.php*

*vkontakte.ru/wall.php*

*vkontakte.ru/api.php*

*twitter.*/*direct_messages/new*

*twitter.*/*status*/update*

*facebook.*/ajax/*MessageComposerEndpoint.php*

*facebook.*/ajax/chat/send.php*

*FLN-Password=*

*password=*

*pass=*

*Passwd=*

*passwd=*

*&password=*

*password]=*

*login_pass=*

*txtpass=*

*login.Pass=*

*LoginPassword=*

*Password=*

*pas=*

*pw=*

*login_password=*

Skype recommends upgrading to the latest version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable.

 

Categories: analyses, Virus Lab Tags: , , ,