How T9000 Trojan malware discovered by the Palo Alto Networks spies on Skype calls

“The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community. We hope that sharing the details of how this tool works as well as the indicators in the section below will help others defend themselves against attacks using this tool”

Researchers at Palo Alto Networks commenting on the T9000 malware that affects Skype users

Skype users, there is a T9000 Terminator on the loose that's stealing your data.

Researchers at Palo Alto Networks have discovered a malware that can screenshot and record victims’ Skype calls, video and text chats as reported in the article “New Skype Malware Records Users’ Audio, Video, Text Conversations While Evading Detection By Leading Security Tools”, published  Monday February 8th 2016 by Cammy Harbison, iDigitaltimes. 

The malware, dubbed T9000, is basically a Trojan horse upgrade to the T5000 malware that targets Microsoft windows machines back in 2014. Also called Plat1 or Grand Theft Auto Panda, it was also famous for spying on skype calls as explained in “Skype users targeted by info-stealing malware” , published Feb 8 2016 By Juha Saarinen, ITNews. 

So how is this version of Grand Theft Auto Panda malware more dangerous?

Palo Alto Networks finds T9000 Trojan malware that spies on Skype calls - Stealth mode detects antivirus and evades them

This time around, the T9000 has a new trick up its sleeve; it can detect other antivirus programs running on the computer it infects as noted in the article “T9000 malware records Skype calls, screenshots, and text messages to steal data”, published February 8, 2016 By Danny Palmer, ZDNet.

It can detect some twenty four (24) different antivirus programs and actually change how it installs itself to avoid detection as pointed out in “Skype users warned of T9000 malware threat that records video and text chats”, published 09 Feb 2016 by Chris Merriman, V3.

The programs that it can avoid include:

1.      AhnLab

2.      AVG

3.      Avira

4.      Baidu

5.      BitDefender

6.      Comodo

7.      DoctorWeb

8.      Filseclab

9.      GData

10.  INCAInternet

11.  JiangMin

12.  Kaspersky

13.  Kingsoft

14.  McAfee

15.  Micropoint

16.  Norton

17.  Panda

18.  Rising and Qihoo 360

19.  Sophos

20.  Tencent

21.  Trend Micro

22.  TrustPort

23.  VirusChaser

Because of this new ability, researchers at Palo Alto Networks have christened it an active “backdoor” to Skype. The Researchers at Palo Alto Networks are saying who made it, but if it’s an upgrade to the T5000 malware from 2014, it might be the work of a cyber-espionage group suspected to have Chinese Government.

So how does this malware get to infect your computer in the first place?

T9000 Trojan malware phishing trip - avoid explorer.exe requests and upgrade Windows Defender

It starts of real simple in the form of a phishing trip!

It'll infect your system via a suspicious email with an innocuous RTF (Rich Text format) file that you'll probably not think twice about clicking on. After all, it’s just a document file you think, right?

But once you open the file, it gets to work, rolling out two (2) powerful exploits. First it scans the entire computer to detect what types of antivirus programs are running on the computer. Once it detects the system's defences, it then alters the way it installs itself onto the computer in order to evade detection.

The Researchers at Palo Alto Networks ask that users of skype should not give permission for 'explorer.exe' to use Skype, as this is how the T9000 malware gains access to skype in order to record victims’ Skype calls, video and text chats.  

Interestingly, Microsoft is already on the case!

They’re already released an update for Windows Defender to deal with the T9000 Trojan as reported in the article “Microsoft plays John Connor to destroy the T9000 Skype Terminator”, published Monday February 08 2016, By Chris Merriman, The Inquirer.

According to Microsoft, they've got it under control, as relief is only an automatic update away, quote: “To further protect our customers, we’ve added detection for the malicious software known as T9000 to Windows Defender. Customers that have installed security updates released in 2012 (MS12-060) and 2014 (MS14-033), either manually or by enabling automatic updates, will already be protected. Our recommendation is to enable automatic updates, which installs the latest security protections, and to use the latest version of Skype”.

Fellow Skype users, stay safe and avoid being caught by the T9000 .....as he'll be back, Terminator Style!