Victims become entangled in a network of compromised machines

Oct 5, 2012 11:29 GMT  ·  By

GFI Labs experts have noticed a malicious campaign designed to spam unsuspecting Skype users and lure them into taking part in a network of compromised computers by relying on a nasty piece of malware.

It all starts with a simple message that reads something like this: lol is this your Skype profile pic? Goo.gl/[URL parameter].

Although the initial download links and the first shortened URL have been taken down, respectively disabled, the cybercriminals who run this operation don’t seem to be willing to give up just yet.

They’re abusing Google’s URL shortening service in an effort to keep the campaign running.

When users click on one of these links, they’re served a file called “skype_02102012_image.exe,” which hides a piece of malware identified by GFI solutions as Trojan.Win32.Generic!BT. Once it’s executed, the malicious element starts making DNS requests to various .com, .pl and .kz domains, but not before the executable file deletes itself. At this point, the victims’ accounts start spamming their contacts with the “lol” message.

The researchers continue to investigate this threat, but the network traffic contains references to some IRC channel names that might be somehow connected to it.