Backdoor for Skype steals data

Researchers at Palo Alto Networks found a backdoor that can steal from Skype video, audio, messages and screenshots.

According to experts, the malware T9000, made great efforts to remain undetected. It belongs to the family of Plat1 and used in phishing attacks against a number of US organizations.

To start the installation process T9000 user needs to open a malicious file .rtf, obtained in a phishing message. Multi-stage installation process allows the malware to avoid detection.

First T9000 carefully identifies, set whether the system is one of 24 security software (Sophos, INCAInternet, DoctorWeb, Baidu, Comodo, TrustPortAntivirus, GData, AVG, BitDefender, VirusChaser, McAfee, Panda, Trend Micro, Kingsoft, Norton, Micropoint, Filseclab , AhnLab, JiangMin, Tencent, Avira, Kaspersky, Rising and 360), and after adapting the boot process so as to bypass the protection.

The second stage is loaded malicious DLL-library, with the backdoor again checks which of the antivirus software can be a threat to him. Depending on the results of testing the malware uses one of three possible scenarios for the start of the third phase. Sam malicious component is loaded until the fourth phase, but even then the T9000 is able to quietly disappear, leaving no trace, identify if the system running processes of anti-virus programs. If the installation was successful, the user name and the OS version is sent to the remote server from which, in turn, loaded modules, allowing attackers to steal data.

The first one makes screenshots of the screen every 20 seconds and gathers information from Skype. If Skype is running, an attacker tricked makes a sacrifice to give permission to access the Skype executable explorer.exe file, or the attack does not work. If successful, the attacker is able to record audio and video calls and text messages collection.

But this T9000 is not limited to: he steals documents .doc format, .ppt, .xls, .docx, .pptx, .xlsx, including from removable disks. For it is in a different plug - FlaskDiskThief.

The third plug is needed for logging file changes: a malicious component keeps track of when the file was created, copied, moved or deleted.

According to researchers, the attacker needs this data in order to study the behavior of the victim, which may ultimately give them useful information for the "deepening" of attack. In Palo Alto we have published a list of indicators of attack and hope that in the near future there will be a way to counter malware, as long as users are advised to be particularly careful, as a key element of the attack is the user's consent to the relevant resolution of malicious applications.