In Web Threat Spotlight Issue 64 TrendLabs looks at a recent Skype spam campaign where messages included a URL (masked by a shortened URL) which lead to a new IM worm.

1. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
ISSUE NO. 64
MAY 24, 2010
Skype: A New Avenue of Old Tricks
URL shorteners are just one of the many technologies born in the Web 2.0 era. The kind of service they provide, that is, shortening URLs to a
more compact and understandable form, have no doubt made information sharing a breeze for any Internet user. A Wikipedia entry cited a
number of reasons why anyone should use this service, most of which are good. URL shortening was, after all, not designed to trick users into
falling for malicious schemes but cybercriminals still managed to turn them into tools of their trade.
The Threat Defined
Shortened URLs in Skype Point to New Worm
TrendLabsSM engineers recently got wind of a new Skype spam
campaign. The spammed message was reported to have come
from the Skype users’ contacts. Each message sported the format
“fotooo ha :P {random URL}.” In a spam sample TrendLabs
engineers analyzed, one of the random URLs appeared as a
TinyURL link from which a worm binary named slika.exe aka
WORM_PALEVO.AZA could be downloaded.
WORM_PALEVO.AZA is an instant-messaging (IM) worm capable
of connecting to remote servers in an attempt to contact its creator
in order to receive commands. It can also download other possibly
malicious files and terminate the Windows update service,
wuauserv.
Apart from affecting Skype users, the attack was also found to be
capable of affecting Yahoo! Messenger users. Figure 1. Sample Skype spam
Recycled Resource
Cybercriminals seem to be using Skype as their weapon of choice in order to distribute malware, as prior to this
particular attack, the IM-and-VoIP-application-in-one was also used in another pump-and-dump attack just this
February, following a list of older Skype-related attacks, including the following:
 “New KOOBFACE Variant” Targets Skype
 Trojan Targets Skype Users
 Voice-Over-Net-AGE Phished!
Using URL-shortening services is no longer new, as this April, TrendLabs also recovered binary samples taken from
links in messages sent via Yahoo! Messenger and MSN that led to the download of WORM_BUZUS.AG and
WORM_KOOBFACE.ZD.
User Risks and Exposure
An independent monitoring group recently hailed Skype as the most popular IM client compared with Tencent QQ,
Windows Live Messenger, and Yahoo! Messenger. With 560 million registered users worldwide, it is thus not
surprising that cybercriminals continue to leverage Skype to spread malicious files, not discounting the fact that the
number of IM users is expected to steadily increase by 2 million each year from 2010 to 2013.
1 of 2 – WEB THREAT SPOTLIGHT

2. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
There is no doubt that instant messengers have become part of every Internet user’s life as a means to interact with
people all over the world. In fact, Skype and similar applications are no longer limited to personal use. They have
transcended to become business tools, too.
Figure 2. WORM_PALEVO.AZA infection diagram
Just because the instant messages one receives come from people in his/her contact list does not mean he/she
should let his/her guard down. Recipients of suspicious instant messages should still refrain from clicking links in
messages—regardless of platform (e.g., email, instant message) or source (i.e., known or unknown)—as doing so
could lead to system infection.
Trend Micro Solutions and Recommendations
Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional
approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique
in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and
automatically protect your information wherever you connect.
In this attack, Smart Protection Network protects Trend Micro product users by preventing access to malicious sites
whose links appear in spammed instant messages via the email reputation service. File reputation service, on the
other hand, detects and prevents the execution of the malicious files—WORM_PALEVO.AZA, WORM_BUZUS.AG,
and WORM_KOOBFACE.ZD—on user systems.
The following post at the TrendLabs Malware Blog discusses this threat:
http://blog.trendmicro.com/spam-sends-malicious-links-to-skype-users/
The virus reports are found here:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_PALEVO.AZA
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUZUS.AG
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KOOBFACE.ZD
Other related posts are found here:
http://en.wikipedia.org/wiki/URL_shortening
http://en.wikipedia.org/wiki/TinyURL
http://www.answers.com/topic/pump-and-dump
http://blog.trendmicro.com/pump-and-dump-spam-makes-a-comeback-on-skype/
http://blog.trendmicro.com/new-koobface-variant-targets-skype/
http://blog.trendmicro.com/trojan-targets-skype-users/
http://blog.trendmicro.com/voice-over-net-age-phished/
http://royal.pingdom.com/2010/04/23/amazing-facts-and-figures-about-instant-messaging-infographic/
2 of 2 – WEB THREAT SPOTLIGHT