“Ransomware” Worm Now Spreading On Skype [Update: Skype Advises Users Upgrade Their Software]

Skype isn’t exactly immune to malware and spam, but criminals are hoping that its users are perhaps less vigilant about clicking through on random links sent to their accounts. According to multiple reports from security firms, as well as from a community forum thread on Skype.com, the popular communications service is the latest target of a malicious online worm. The worm, identified as “Dorkbot,” has previously infected both Twitter and Facebook, and is known to send out messages that use social engineering tactics to trick users into clicking on links.

For example, if anyone has ever tweeted or messaged you with some variation on “lol is this your new profile pic?” followed by a link, that could have been the Dorkbot worm in action. On security firm Trend Micro’s blog post today, researcher Rik Ferguson refers to the Skype worm as “spreading fast.” He says users have seen messages in both English and German, and links point to a download on Hotfile.com labeled as “Skype_todaysupdate.zip,” containing the payload.

While the emergence of the worm is now leading to several media reports – yes, such as this one – the good news, at least according to competing firm Sophos, is that the worm is not all that widespread on Skype just yet. Sophos tells us that their investigation into the scale of the attack is still underway (as is Trend Micro’s), but so far, they’ve only seen a small number of reports. Still, the firm hedges that they may not have the full picture, since their software is for home users, not for businesses. Historically, however, there have been many variants of the Dorkbot attack on other social networks, and it can also spread on USB sticks and via IM.

The worm’s payload is rather vicious – after compromising the affected machine, it joins the machine to a botnet and locks users out of their computer. While in the past, Dorkbot went after user credentials, this new attack uses what’s known as “ransomware.” Users are informed that their files have been encrypted, and are warned they’ll be deleted if they don’t pay $200 within 24 hours. Sophos’ Graham Cluley describes this as being like “kidnappers shooting hostages one by one, if their demands aren’t met…it’s really creepy, unpleasant behavior – and sadly becoming more common,” he says.

As always, both firms remind users (for like the millionth time) not to click on unexpected links. Unfortunately, those who need to hear that message aren’t generally reading tech blogs. They’re reading Yahoo Answers…sigh.

We reached out to Skype for additional information on the worm’s status first thing this morning, but have yet to hear back. Likely, the response, when and if received, will be something along the lines of the worm not being widespread, or affecting a small number of users, as is usually the case with official statements.

Update, 2 PM ET: Skype has responded with the following statement:

Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable.

Update, 3:30 PM ET: Some more exact figures: Trend Micro is now seeing upwards of 400 detections in less than 12 hours, across every continent with a relatively even spread. This figure is from detections among those using its products.

Image credit: Sophos