Trojan Horse Dupes Skype Users, Steals Personal Info

Skype Ltd. again warned users of its software that malicious code targeting the voice-over-IP (VoIP) and instant messaging service was on the prowl, the second such alert in the past five weeks.

A Trojan horse posing as a Skype add-on is stealing log-on credentials, the company's online spokesman, Villu Arak, said yesterday in a blog posting. Calling itself Skype Defender, the malware installs if users download and run the executable SkypeDefenderSetup.exe, then launches to display a mock Skype interface complete with username and password fields. Entering valid information, however, only results in the bogus application claiming, "Your Skype name and password were not recognized. Please check and try again."

By that time, the log-on information, usernames and passwords remembered by Internet Explorer have been snatched and sent to the attacker.

The alert came five weeks after Skype acknowledged that the Ramex.a worm was hijacking computers running the VoIP software.

Most security vendors had updated their detection signatures by Wednesday morning to account for the new threat. "The PWS-Pykse Trojan does not spread by itself," said Pradeep Govindaraju, a McAfee Inc. researcher, on the company's security blog today. "It relies on social engineering techniques to trick the victim into executing it and is usually posted onto dodgy sites or forums."

Links to sites hosting the Trojan horse have been passed to some Skype users via instant messaging, other security researchers reported.

"An alert Skype user would notice that it looks very different from the normal log-in window," added Govindaraju, "especially since none of the hyperlinks or options displayed are functional."

In other security news involving Skype, Websense Inc. warned of a scam that arrives as a spammed instant message and claims that the recipient's PC is infected with multiple pieces of malware. Coming from a user dubbed "Scan Alert," the message prompts the user to click on a link to download a patch; naturally, the "patch" is no such thing.

Instead, the Web site displays a dialog asserting that the PC is infected and offers to remove the malicious code if the user pays $19.95 for something called "Windows Software Patch -- Scan & Repair."

The scam is a triple threat, said Websense in a warning posted to its Web site. "This serves as [an] example of spam propagating on Skype, with malware authors utilizing social engineering to pass their malware off as legitimate software and attempting to collect money directly at the same time."