Early this evening, Symantec issued an advisory that they have discovered the availability of source code for a Trojan that targets Skype users. The Trojan, once installed on a system, has the ability to record conversations in progress, and transmit the recording to a third party.
The Trojan is being called Trojan.Peskyspy, and can be delivered in any number of ways, including email links and social engineering attacks, where a user is tricked into downloading and installing an application.
The Trojan is targeting Windows API hooks, a technique used to alter the planned behavior of an application, which Microsoft has intended to be used by audio applications. The Trojan compromises the machine and then through the hooking technique is able to eavesdrop on a conversation before it even reaches Skype, or any other audio application.
Once a machine has been compromised, the Skype Trojan can use an application that handles audio processing within a computer and save the call data as an MP3 file. This MP3 is then sent over the Internet to a predefined server where the attacker can then listen to the recorded conversations. The MP3 is stored locally and encrypted before it is sent off.
“Recording the call as an MP3 keeps the size of the audio files low and means there is less data to be transferred over the network, helping to speed up the transfer and avoid detection,” Symantec said in their alert.
Presently, Symantec is calling the risk posed by this threat quite low, as they have not seen any evidence of compiled versions of the Trojan moving around online.
However, because the source code is publicly available, Malware authors can incorporate this type of functionality into their own malicious code. As a precaution, since there is no hard mitigation for the Trojan’s abilities aside from uninstalling Skype, Symantec says users should follow security best practices, install and keep up-to-date security software, and not click on links in suspicious e-mails.
In a semi-related story, since the Skype Trojan could be linked to Phishing scams, this alert comes in the same week that Symantec declared the start of Phishing Season.
With summer ending, Symantec said that they expect to see an increase in overall Phishing activity over the coming months.
“The number of Phishing attacks we observe tends to follow a natural pattern of high and low points, with the high points often occurring in the latter half of the year,” a company spokesperson said.
As more information on the Skype Trojan emerges, we will update this article.