{"id":6944,"date":"2012-05-15T14:46:22","date_gmt":"2012-05-15T21:46:22","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=6944"},"modified":"2018-10-05T10:59:49","modified_gmt":"2018-10-05T16:59:49","slug":"poison-ivy-trojan-spreading-across-skype","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/05\/15\/poison-ivy-trojan-spreading-across-skype\/","title":{"rendered":"Poison Ivy trojan spreading across Skype"},"content":{"rendered":"<p>Last night, a friend of mine surprisingly messaged me at 6:33 AM on Skype, with a message pointing to what appeared to be a photo site with the message &#8220;<em>hahahahaha foto<\/em>&#8221; and a link to <em><strong>hxxp:\/\/random_subdomain.photalbum.org<\/strong><\/em><\/p>\n<p>What was particularly interesting is that he created a group, and was basically sending the same message to all of his contacts. Needless to say, the time has come for me to take a deeper look, and analyze what appeared to be a newly launched malware campaign using Skype as propagation vector.<\/p>\n<p>More details:<\/p>\n<p><!--more--><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-6953\" title=\"Skype_malware_campaign_PhotoAlbum\" src=\"http:\/\/webrootblog.files.wordpress.com\/2012\/05\/skype_malware_campaign_photoalbum.png\" alt=\"\" width=\"596\" height=\"401\" \/><\/p>\n<p>Once the socially engineered clicked on the link, a Download window will automatically prompt them to download the following file &#8211;\u00a0<em><strong>Photo9321092109313.JPG_www.facebook-com.exe<\/strong><\/em>. Notice how the cybercriminals behind the campaign try to trick end users into thinking that they&#8217;re about to open\u00a0an image file, potentially coming from Facebook. In reality though, it&#8217;s an executable.<\/p>\n<ul>\n<li><strong>Security tip:<\/strong>\u00a0Windows users can see how they can enable full file extension <a href=\"http:\/\/windows.microsoft.com\/en-us\/windows-vista\/show-or-hide-file-name-extensions#bodyContentPane\"><strong>here<\/strong><\/a>, and Mac OS X users can view how they can start displaying full file extensions <a href=\"http:\/\/www.ehow.com\/how_4518148_items-mac-os-x-finder.html\"><strong>here<\/strong><\/a>.<\/li>\n<\/ul>\n<p><strong>Malicious subdomains spamvertised over Skype messages:<\/strong><\/p>\n<ul>\n<li>hxxp:\/\/new07.photalbum.org<\/li>\n<li>hxxp:\/\/new39.photalbum.org<\/li>\n<li>hxxp:\/\/new67.photalbum.org<\/li>\n<li>hxxp:\/\/new43.photalbum.org<\/li>\n<li>hxxp:\/\/new32.photalbum.org<\/li>\n<li>hxxp:\/\/new56.photalbum.org<\/li>\n<\/ul>\n<p><strong>photalbum.org<\/strong> &#8211; 98.124.198.1 (AS21740, DemandMedia) &#8211; Email: cuti@ilirida.net<\/p>\n<p><strong>The following domains were also registered using the same email address:<\/strong><\/p>\n<ul>\n<li>photo-facebook.info<\/li>\n<li>Msn-gallery.net<\/li>\n<li>Ebunet.org<\/li>\n<li>Mut-article.net<\/li>\n<li>Megaarticles.biz<\/li>\n<li>Megaarticles.org<\/li>\n<li>Megaarticles.biz<\/li>\n<li>Mut-article.net<\/li>\n<\/ul>\n<p>The <em><strong>Photo9321092109313.JPG_www.facebook-com.exe <\/strong><\/em>sample has the following MD5,\u00a0<a href=\"https:\/\/www.virustotal.com\/file\/96260b914a968484763331fa6cd6c67034f9a6d1fedc541b2bf1946c549ec6c5\/analysis\/1337000201\/\"><strong>MD5: bc3214da5aac705c58a2173c652e031e<\/strong><\/a>, currently detected as Trojan.Win32.Jorik.PoisonIvy.yy, Trojan.Win32.Diple!IK by 16 out of 42 antivirus engines.<\/p>\n<p>Upon execution the binary, creates a batch script, installs a program to run automatically at logon, and creates a thread in a remote process.<\/p>\n<p><strong>It then\u00a0it phones back to the following domains\/IPs:<\/strong><\/p>\n<ul>\n<li>hd.hidbiz.ru<\/li>\n<li>4.45.182.239:1986<\/li>\n<\/ul>\n<p>Another sample with <a href=\"http:\/\/www.sophos.com\/de-de\/threat-center\/threat-analyses\/viruses-and-spyware\/Mal~EncPk-AEI\/detailed-analysis.aspx\"><strong>MD5: fe18d433eb8933fa289b5d9a00e2f5c7<\/strong><\/a> is known to have used these C&amp;C domains\/URLs before.\u00a0It also modifies the browser&#8217;s start page to: <em>Start Page = &#8220;hxxp:\/\/enaricles.com&#8221;.\u00a0<\/em><\/p>\n<p><strong>More malware MD5&#8217;s that modify the browser&#8217;s start page to hxxp:\/\/enaricles.com:<\/strong><br \/>\nMD5: 5de919fad7969043a3ebeff2e103b996<br \/>\nMD5: 23db2396cccc6f70f37153419ba14d6b<br \/>\nMD5: 45958771468f1ad3200e60c89126b285<br \/>\nMD5: 435a9835464ccff075339d7021508609<br \/>\nMD5: ec06e9ee54f8534beb35f45f03ac0cbc<\/p>\n<p>Hijacked trusted and legitimate Skype accounts are invaluable from a social engineering perspective. Trust is vital, even novice end users know it. If the cybercriminals were to automatically register thousands of bogus accounts, they would attempt to only target users who allow the receiving of messages from users who are NOT on their contact list. Although millions of Skype users continue receiving these messages, the majority of successful malware campaigns using Skype as propagation vector, tend to involve trusted and compromised Skype accounts in an attempt to increase the probability of a successful infection.<\/p>\n<ul>\n<li><strong>Security tip: <\/strong>In order to prevent receiving messages from people not on your contact list, <a href=\"http:\/\/community.skype.com\/t5\/Security-Privacy-Trust-and\/How-to-Handle-Suspicious-Calls-Messages-and-Contact-Requests\/m-p\/77688#M441\"><strong>follow the instructions offered here<\/strong><\/a>.<\/li>\n<\/ul>\n<p>What&#8217;s so special about the payload anyway? The payload is a copy of the infamous Poison Ivy DIY RAT (Remote Access Tool) also known as a trojan horse or backdoor. The attackers chose this easy to obtain RAT for serving malicious code, compared to a situation where they would need to code it from scratch.<\/p>\n<p><a href=\"https:\/\/www.webroot.com\/us\/en\/home\/products\/complete\"><strong>Webroot SecureAnywhere<\/strong><\/a> proactively protects against this threat.<\/p>\n<p><em>You can find more about Dancho Danchev at his\u00a0<strong><a href=\"http:\/\/nl.linkedin.com\/in\/danchodanchev\">LinkedIn Profile<\/a><\/strong>. You can also\u00a0<strong><a href=\"http:\/\/www.twitter.com\/danchodanchev\">follow him on \u00a0Twitter<\/a><\/strong>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last night, a friend of mine surprisingly messaged me at 6:33 AM on Skype, with a message pointing to what appeared to be a photo site with the message &#8220;hahahahaha foto&#8221; and a link to hxxp:\/\/random_subdomain.photalbum.org What was particularly interesting is that he created a group, and was basically sending the same message to all [&hellip;]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[10729,10719,3619,10723,5717,10717,10725,10709,10721,10731,10727,10715,10707,10735,10713,3529,10733,10711,10705,3471],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/6944"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=6944"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/6944\/revisions"}],"predecessor-version":[{"id":25333,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/6944\/revisions\/25333"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=6944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=6944"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=6944"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=6944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}