Malware targeting Skype missed a trick

Last week reports came out stating that the Dorkbot worm is now targeting Skype users. The worm fools users into downloading the malware, whose payload locks down machines. Once infected, users’ contact lists are pinged with the message “LOL is this your new profile pic?” and a .zip file.

When the .zip file is clicked it opens a backdoor and installs the worm. The machine is then enlisted into a botnet and users are asked to make a $200 payment within 24 to 48 hours in order to receive their files back.

This ransomware aspect of the worm is a new element compared to the previous strains that affected Facebook and Twitter.

Dominique Karg, Chief Hacking officer from AlienVault, comments on why he thinks the Dorkbot will not be as effective as it could have been:

“There are three things about this worm that surprises me:

Firstly, the phrase “LOL is this your new profile pic?” makes it look like this is targeted at a younger segment of the population. Therefore really narrowing down on the victims.

If the target is the younger generation then $200 seems like a lot of money for that “target” audience. Why not make it $50? I think a lot more people who have contacts who would send them a .zip file with a “LOL is this your new profile pic?” message would pay $50 or $100 rather than $200. And I’m thinking about the US here. $200 in some other countries is a small fortune…

Why the 24/48 hour timeframe? Are the authors trying to urge people into paying before the malware gets deleted? The harm is done anyway at this point, deleting the malware won’t get the files back, as far as I know, so why the urge?

This malware doesn’t exploit any system vulnerability; it exploits trust so with the right message they could have got a lot more people to be fooled into executing the program (worm). We always warn people to disregard attachments from unknown people. However, in this case this file is being sent from your trusted “buddies’.

It surprises me that the people who have written this malware have not made the message change depending on the target. If the target’s name is 2 words, then they could have put something more serious, like “please don’t share this but I wanted you to have it”, while to a 1 word destination (much more likely to be a nickname or a “buddy”) they could have sent the above message.

Finally, in Skype you can also see the local time for your contacts, which should give you a rough idea of where they are located at “wealth” wise, therefore enabling them to adjust the ransom accordingly. The writers of this malware are definitely missing a trick.”

Don't miss