Skype users, beware of new T9000 trojan

10 Feb 2016

Skype users are at risk of being infected with a new trojan dubbed T9000 that can record video calls, audio calls and chat messages.

Researchers at Palo Alto Networks discovered the new type of backdoor malware and explained that once installed it can evade detection by many popular antivirus systems, including some big names such as Kaspersky and Panda.

The full list from Palo Alto of security firms whose software it can dodge is: Sophos, INCAInternet, DoctorWeb, Baidu, Comodo, TrustPort, GData, AVG, BitDefender, VirusChaser, McAfee, Panda, Trend Micro, Kingsoft, Norton, Micropoint, Filseclab, AhnLab, JiangMin, Tencent, Avira, Kaspersky, Rising and Qihoo 360.

T9000 is a new variant of T5000, first spotted in 2013. The payload is hidden inside spearfishing emails with an infected .rtf document, but is sophisticated enough to get in through other means when its controllers have the will.

Once installed the software can record Skype calls and upload them along with text chats to a server. It can also take regular screenshots. The only saving grace is that a user has to give it permission, albeit unknowingly.

An API request asking for permission for explorer.exe to access Skype appears. In reality this should never be needed so it should be quite clear it's dodgy.

The researchers explained, "The victim must explicitly allow the malware to access Skype for this particular functionality to work. However, since a legitimate process is requesting access, the user may allow this access without realising what is actually happening. Once enabled, the malware will record video calls, audio calls and chat messages."

A computer with granted permissions could also have documents stolen, even on removable drives.

Skype is used more and more by businesses as part of the Office suite, so there is the potential for hackers to uncover potentially lucrative information.

Palo Alto has published a list of indicators that your machine is infected as the sheer complexity and audacity of T9000 means that prevention is more or less the only form of protection at the moment.

Meanwhile, Microsoft has said that it protects users from the malware with security updates. ''To further protect our customers, we've added detection for the malicious software known as T9000 to Windows Defender," the firm said.

"Customers that have installed security updates released in 2012 (MS12-060) and 2014 (MS14-033), either manually or by enabling automatic updates, will already be protected. Our recommendation is to enable automatic updates, which installs the latest security protections, and to use the latest version of Skype."