Double Skype attack confuses security firms

Two different pieces of malware were set loose on Skype users this week and although neither seems to be causing serious problems, security firms are confused.Just 24 hours after warning that there may be a worm exploiting the popular Skype Internet telephony service, Websense reclassified the pest as a Trojan horse.

Two different pieces of malware were set loose on Skype users this week and although neither seems to be causing serious problems, security firms are confused.

Just 24 hours after warning that there may be a worm exploiting the popular Skype Internet telephony service, Websense reclassified the pest as a Trojan horse. Symantec has published an advisory about a similar piece of malware attacking the same program but it is calling the malware a worm. Finnish antivirus firm F-Secure admitted the double attack has confused security firms.

The confusion seems to have arisen because security firms have different variants of the malware, said F-Secure.

"We've received some queries about a possible Skype worm going around. The situation is a bit confusing right now," wrote Mikko Hyppönen, chief research officer, in the F-Secure blog.

Hyppönen explains that there are only a limited number of infected systems.

"There is something spreading on Skype, but only in limited numbers ... It is not exploiting a vulnerability in Skype but simply sending chat messages asking you to download and run the infected executable.

"There seems to be two different and separate malware samples being talked about relating to this case, confusing things further," he wrote.

Both malware samples seem to behave in a similar fashion -- the Skype users receive an instant message (IM) asking them to download and run a file. Once that file is executed, it installs spyware that can steal passwords and other personal information. The spyware then connects to a remote server and is able to download additional code.

Symantec is sticking by its classification. A spokesperson from Symantec Security Response told ZDNet Australia: "We consider this as a worm. Just because the user has to allow it to run, doesn't stop it being a worm. It still has the ability to propagate itself".

According to a report published by Symantec earlier this week, IM is a prime target because it is still relatively unprotected and unmonitored. The company expects an increase in IM-related threats during 2007.

"Instant messaging continues to be the fastest growing communications medium, with an estimated 484 million enterprise and consumer users by the end of 2007. Global services such as AOL Instant Messenger, MSN Messenger, and Yahoo Messenger report a total of more than 15 billion messages sent per day.

"Though widely adopted, IM is generally unprotected and unmonitored, leaving it vulnerable to attacks and exploits. These attacks have grown exponentially over the past three years," the report said.