“The
author of this backdoor has gone to great lengths to avoid being detected and
to evade the scrutiny of the malware analysis community. We hope that sharing
the details of how this tool works as well as the indicators in the section below
will help others defend themselves against attacks using this tool”
Researchers at Palo Alto
Networks commenting on the T9000 malware that affects Skype users
Skype
users, there is a T9000 Terminator on the loose that's stealing your data.
Researchers
at Palo Alto Networks have discovered a malware that can screenshot and record
victims’ Skype calls, video and text chats as reported in the article “New
Skype Malware Records Users’ Audio, Video, Text Conversations While Evading
Detection By Leading Security Tools”, published Monday February 8th 2016 by Cammy Harbison, iDigitaltimes.
The
malware, dubbed T9000, is basically a Trojan horse upgrade to the T5000 malware
that targets Microsoft windows machines back in 2014. Also called Plat1 or
Grand Theft Auto Panda, it was also famous for spying on skype calls as
explained in “Skype
users targeted by info-stealing malware” , published Feb 8 2016
By Juha Saarinen, ITNews.
So
how is this version of Grand Theft Auto Panda malware more dangerous?
Palo Alto Networks finds
T9000 Trojan malware that spies on Skype calls - Stealth mode detects antivirus
and evades them
This
time around, the T9000 has a new trick up its sleeve; it can detect other antivirus
programs running on the computer it infects as noted in the article “T9000
malware records Skype calls, screenshots, and text messages to steal data”,
published February 8, 2016 By Danny Palmer, ZDNet.
It
can detect some twenty four (24) different antivirus programs and actually
change how it installs itself to avoid detection as pointed out in “Skype
users warned of T9000 malware threat that records video and text chats”,
published 09 Feb 2016 by Chris Merriman, V3.
The
programs that it can avoid include:
1. AhnLab
2. AVG
3. Avira
4. Baidu
5. BitDefender
6. Comodo
7. DoctorWeb
8. Filseclab
9. GData
10. INCAInternet
11. JiangMin
12. Kaspersky
13. Kingsoft
14. McAfee
15. Micropoint
16. Norton
17. Panda
18. Rising
and Qihoo 360
19. Sophos
20. Tencent
21. Trend
Micro
22. TrustPort
23. VirusChaser
Because
of this new ability, researchers at Palo Alto Networks have christened it an
active “backdoor” to Skype. The Researchers at Palo Alto Networks are saying
who made it, but if it’s an upgrade to the T5000 malware from 2014, it might be
the work of a cyber-espionage group suspected to have Chinese Government.
So
how does this malware get to infect your computer in the first place?
T9000 Trojan malware
phishing trip - avoid explorer.exe requests and upgrade Windows Defender
It
starts of real simple in the form of a phishing trip!
It'll
infect your system via a suspicious email with an innocuous RTF (Rich Text
format) file that you'll probably not think twice about clicking on. After all,
it’s just a document file you think, right?
But
once you open the file, it gets to work, rolling out two (2) powerful exploits.
First it scans the entire computer to detect what types of antivirus programs
are running on the computer. Once it detects the system's defences, it then
alters the way it installs itself onto the computer in order to evade
detection.
The
Researchers at Palo Alto Networks ask that users of skype should not give
permission for 'explorer.exe' to use Skype, as this is how the T9000 malware
gains access to skype in order to record victims’ Skype calls, video and text
chats.
Interestingly,
Microsoft is already on the case!
They’re
already released an update for Windows Defender to deal with the T9000 Trojan
as reported in the article “Microsoft
plays John Connor to destroy the T9000 Skype Terminator”,
published Monday February 08 2016, By Chris Merriman, The Inquirer.
According
to Microsoft, they've got it under control, as relief is only an automatic
update away, quote: “To further protect our customers, we’ve added detection
for the malicious software known as T9000 to Windows Defender. Customers that
have installed security updates released in 2012 (MS12-060) and 2014
(MS14-033), either manually or by enabling automatic updates, will already be
protected. Our recommendation is to enable automatic updates, which installs
the latest security protections, and to use the latest version of Skype”.
Fellow
Skype users, stay safe and avoid being caught by the T9000 .....as he'll be
back, Terminator Style!
No comments:
Post a Comment