Malware often does strange things, but this one -- which looked like Skype installed on a corporate domain controller -- was most "peculiar," says Jim Butterworth, a security expert at ManTech International, whose security subsidiary HBGary recently found the custom-designed remote-access Trojan on a customer's network.
The Skype-looking specimen first seemed to simply be supporting Skype communications traffic, but it was installed in an unusual directory location and configured to operate as a standalone VoIP application. One of the tip-offs that it was malware was the strange network traffic spike occurring during off-peak hours and difficulties that systems administrators had getting to the domain controller. A close look at the Skype specimen in the executables removed from the domain controller showed a creative attacker had used a modified version of the old Skype software development kit (SDK) and turned it into a remote-access Trojan to steal corporate data.
This malicious software had accomplished what some had predicted about eight years ago could be done to exploit Skype when "researchers discovered the ability to use Skype as a remote-control procedure," says Butterworth, executive director of commercial services at ManTech.
The malware had been designed using a modified version of the old "SkypeKit" SDK which existed before Microsoft acquired Skype, and it appeared to include a backdoor functionality.
The malware was a one-time instance that wasn't found elsewhere in the victim's network, but in this case it was being used to steal corporate data by connecting to a Skype-looking account outside the network to various locations around the world.
In the report it has published about all this, HBGary pointed out, "Normally a SkypeKit client would require a certificate to initiate a session with Skype servers. The backdoor contains such a certificate and it is passed to Skype API calls, but this is only for compatibility with the SkypeKit runtime; the modified version of the runtime does not use it for authentication (as verified during analysis by subverting this step). Once authenticated, it waits for incoming message events and treats them as commands.
"If Skype is normally used on the compromised system, network traffic will show nothing unusual."
Butterworth says all this has been the most "peculiar" malware specimen he's seen so far, and it's a warning of how a publicly-available SDK can be used to create malware that hides in plain sight.
"This attack was not advanced in its development, nor did it contain substantial covert aspects to it," the HBGary report concludes. "The attacker knows, when hiding in plain sight and somehow relating to a commonly recognizable program, they are likely able to remain under the radar. This would still be the case for this incident, had it not been for the out-of-band network activity and the criticality of the machine this was present on."
Sign up for MIS Asia eNewsletters.