SophosLabs has identified a mutated Koobface worm that is apparently capable of hacking into Skype accounts. According to researcher Numaan Huq, the new Koobface variant executes various API commands to harvest personal data from Skype users.
“W32/Koobfa-O collects information about the user such as HOMEPAGE, ABOUT, PHONE_MOBILE, PHONE_OFFICE, PHONE_HOME, CITY, COUNTRY, BIRTHDAY, FULLNAME, PSTN_BALANCE etc. The collected information is dumped into a file which is packed as a RAR archive and either emailed or uploaded to a remote server,” Huq wrote in an official blog post. ??
“The worm then logs on to Skype chat as the user and starts a conversation with friends online. In the body of the worm there are snippets of conversation in 18 different languages including some Asian languages.”
Huq explained that the worm’s “lexical” abilities were limited to spewing arbitrary “conversation pieces” into chat windows.
“This will be because the worm supports conversation in 18 languages, and it is too complicated to do a lexical analysis for the different languages. It is easier to just randomly chat,” said Huq. “The worm will also paste a link to a compromised domain in the chat conversation, visiting which will download W32/Koobfa-O.”
Koobface – which began its nefarious career compromising Twitter accounts – currently targets a number of social networking sites, including Facebook, MySpace, Bebo, hi5, GeoCities and Friendster.
However, the W32/Koobfa-O variant has also set its sights on Blogger, Wikipedia, Youtube, Yahoo and Google.
“The worm doesn’t do much except look to see if some information (possibly credentials) exists for these domains. But is this a promise for the future? Clearly as social networking and collaborative sites/tools multiply in number and become bigger, more malware will attempt to take advantage of them,” added Huq. ?