Ransomware Found Lurking in Skype Ads

Ransomware, ,
18
Jul 2017

skype-crossed-640x360Skype is a great tool for businesses to communicate with customers and partners, but now it appears that it’s being used as a delivery route for ransomware.

PC users who are using the Microsoft Skype App have reported that fake adverts have been appearing which contain a malicious payload in the form of ransomware. As per usual, this strain of ransomware locks the user’s computer, encrypts files and demands a ransom for unlocking the PC.

Ransomware is becoming increasingly more common and, as Skype is such an important communication tool, there’s a good chance that your business could find itself confronted with it. Therefore, I’m going to delve a little deeper into what’s behind this latest attack.

Skype Ransomware

ransomware-illustrationThe malicious adverts that have been appearing claim that a critical Flash update is required and offers a link to this ‘critical’ update. However, this advert – which appears on the Skype home screen – is actually a link to a HTML application that, although looking genuine, downloads a nasty dose of ransomware to your PC.

And it’s a particularly sneaky piece of ransomware as this malicious payload also runs a piece of code which deletes the downloaded application and then downloads a piece of JavaScript from a website which no longer exists. The domains being used are setup and then shut down almost instantly to prevent any form of registration fee being taken. It’s these seemingly odd processes which help to disguise the hacker’s activities and protect them from being detected by standard antivirus operations.

It’s believed that this new piece of ransomware is related to the Locky ransomware attack – which caused so much trouble in 2016 – as it shares a number of similarities such as utilizing JavaScript to shutdown computers and encrypt files without an additional app being used to execute this.

How to Tackle the Skype Ransomware

At present there is no solution to the Skype ransomware attack and Microsoft have only been able to offer the advice that users should refrain from clicking on unsolicited links. And, unfortunately, due to ransomware being so difficult to treat, prevention tends to be the best cure for ransomware.

There are, however, a few steps you can take to minimize the damage:

  • Ensure that your staff is educated to recognize what constitutes a piece of ransomware. This knowledge, though, can quickly expire if your staff isn’t regularly exposed to such attacks, so refresher courses are recommended to keep this knowledge fresh and provide updates on any changes in ransomware techniques.
  • If you fall victim to a ransomware attack then the first step you should take is to shut your network down as soon as possible. Going offline is the only way you can prevent the hacker from burrowing deep into your system and encrypting files.
  • Always back up your files so that, in the case of encryption, you still have access to your files and do not need to pay a ransom fee or invest valuable man power into tackling the attack. It’s recommended that these are backed up to physical media which has no connection to the internet.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

T9000 Trojan Can Compromise Skype and PC Security

Security, ,
15
Mar 2016

skype-lockAside from when video connections drop out, is a useful piece of software for businesses. However, the T9000 trojan is compromising Skype’s security.

Skype is an amazingly innovative app which has helped make the world that little bit smaller and cost effective. The days of having to pay extortionate rates to call people on the other side of the globe are over. And you can even throw in video conferencing as an added bonus!

Unfortunately, hackers are also innovative and if they discover there’s even a minuscule opportunity to breach a piece of software they’ll pounce upon it. Researchers at Palo Alto Networks have discovered that this is exactly what is happening with Skype and the T9000 trojan.

As Skype is an essential business tool, it was crucial to look through what the T9000 is capable of and how to protect yourself.

The Hard Facts about the T9000

Virus Detected

The T9000 trojan is actually an upgrade of the T5000 trojan which was first spotted in 2013/14. The delivery route of the T9000 trojan appears to be through spear phishing emails in the form of infected Rich Text Format (RTF) files which contain exploits for Microsoft Office controls.

Once the malware contained within these RTF files is activated, the following processes take place:

  • The first step the malware takes is to check for the presence of the 24 most common security products e.g. Kaspersky, AVG and McAfee
  • The malware is then installed onto the system’s hard drive and performs a number of checks which allow the T9000 trojan to relay information about the user’s system to the control and command centre supporting the attack
  • Three plugins (tyeu.dat, vnkd.dat and qhnj.dat) are then decompressed and executed on the infected system
  • The tyeu.dat plugin is the one which will hijack Skype through a user prompt next time Skype is started

If this user prompt is authorized then the T9000 can begin spying on the user’s Skype sessions.  This allows the T9000 the perfect opportunity to steal screenshots, audio and video data from the infected system.

The vnkd.dat plugin also works away in the background with its main intent being to steal files from the hard drive or any removable devices. Finally, the qhnj.dat plugin gives the control and command center the opportunity to send commands to the infected computers and spy on any user activity.

Protecting yourself from the T9000

virus_protection

The T9000 trojan is a very sophisticated piece of malware which threatens the security of your system on a number of different levels. The key to avoiding infection, as ever, is to practice good security methods.

Training staff on the dangers of unknown and unusual attachments is paramount, but your staff are only human and mistakes will no doubt be made. The T9000, however, is not infallible, so if your business has professional network security in place the threat will be limited or stopped in its tracks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More