Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cert write up on Skype IMBot Logic and Functionality.

Published: 2010-03-11
Last Updated: 2010-03-11 18:28:34 UTC
by donald smith (Version: 1)
0 comment(s)

CERT.at has provided a good technical analysis of a Skype IMBot.
The authors, Christian Wojner, L. Aaron Kaplan, did a good job of analysis of this IMBot.
They also "swapped notes" with Aaron Hackworth of secureworks.com. Such public/private collaboration I find to be very encouraging.

This is a fairly new vector. I have seen other IM based malware using skype IM so it’s not brand new but not too common yet either. The malware detects many Reverse Engineering applications and attempts to make the system unbootable if any type of RE is detected. It uses a new (novel) method to hide its processes/files. It scans local networks for 445 probably to exploit one of the many Microsoft vulnerabilities that can be exploited via that service. It uses "conficker like" encryption. It had logic to "infect" usb drives.

I really enjoyed this analysis as it included some interesting approaches and pointed to functionality that appeared to be in the bot but they were unable to trigger within their RE environment.
http://cert.at/static/downloads/papers/cert.at-an_analysis_of_the_skype_imbot_logic_and_functionality_1.2.pdf
 

Keywords: skype im bot
0 comment(s)
Diary Archives