Skype Malware in Advertisements

[Talon87]

Friendly caution to not sign in to Skype right now (or, if you've already signed in, to sign out for the time being). Their rotating ads have been compromised by hackers and a malicious advertisement will pop up and forcibly direct your web browser to a scam site. Skype/Microsoft is being pretty quiet for the time being (while they investigate) as to whether people's computers have been compromised or not. In my own experience just now, both times the page loaded this is what I saw:

It went instantaneously to that 500 error page (no splash pages beforehand, no attempts to go anywhere else after), so I'm optimistic that either their server was down at the time (w007) or else my anti-script Firefox plug-ins did their job protecting me (double w007). Either way, not everyone's been so lucky:

Skype.com thread 1
Skype.com thread 2
Skype.com thread 3

As you can see, some people report having actually seen the scam site load, prompting them to purchase software and such. Soooooooo ... yeah. Not sure if I'm in the same boat as those people (despite not seeing anything load) or what, but either way, I don't want you to have to worry about it period.

Signed in already? Sign out 'til this is fixed.

Not signed in yet? Good. Keep it that way until this is fixed.

[Deebs]

Been on Skype all day and haven't had problems, so I dunno. It's been buggy today, but I'm not sure it's related.

[The Morg]

All I ever get are ads showing butts in yoga pants.

...Context-based targeting?

[Talon87]

No, but seriously: judging from the discussion here, it sounds like I may be up Shit Creek without a paddle along with loads of other users of the service:

Quote:

I had that site open in chrome Thursday night. It gave me a 500 internal server error though.

I wonder if I'm ok

Quote:

Its a false page. I got it too, the html source: http://puu.sh/6GGzU.jpg

Quote:

What is the purpose of that? Is there a payload not pictured?

Hoping the answer will be, "Noooooo? ^^;" but pretty glumly sure the answer's going to be, "Yes, of course." Blegh.

[lilboocorsola]

About a month ago I started getting redirects in a new browser tab to some image that asked me to take a survey, which I believe traced back to Skype advertisements. Did a virus scan but didn't find anything related to it, and my brother seemed to think it was harmless. Still, it was annoying so I tried installing the new version of Skype, and the pop-ups went away after that. *shrug* Haven't had any problems since then/today.

[Concept]

Thanks for the heads up man.

[Talon87]

Not too much in the way of an update from the Reddit crowd. One guy has this to share:

Quote:

The payload is a very rapid load iframe that redirects to that page again. I haven't gotten it to successfully infect any of my sandboxes though... so.. yeah. I think it might be an IE only thing, firefox/chrome it just won't work on. Haven't bothered spinning up VM's to see what the deal is.

If true, this is a little comforting though it's still not the ironclad "You're clean " diagnosis I was hoping for. As you can see from my screencap up top, my default browser is Firefox and that's what Skype attempted to open a window in last night. Again, I'm not sure whether it was NoScript doing its job (possible!) or what this guy says about the malware only working through Internet Explorer (also possible!), but so long as the end result is that I didn't get any permanent damage on the computer, I'm happy for myself.

Small comfort to any compromised users who opt to use Internet Explorer though. :\

As for the official Skype threads, there's been no progress since last night.

[lilboocorsola]

This morning I tried opening Skype and IE and got one of those redirects to "critical processes have been found on your PC, perform a scan now". Immediately closed it and Skype, running an actual virus scan now.

[OkikuMew]

I've been on Skype yesterday and this morning, and still haven't seen anything.

Well to be honest I did get a malware yesterday morning, but at that time I didn't even launched Skype yet; It's just I updated one of my programs and said update had malware -_-;

[The Morg]

Quote:

Originally Posted by lilbluecorsola

This morning I tried opening Skype and IE and got one of those redirects to "critical processes have been found on your PC, perform a scan now". Immediately closed it and Skype, running an actual virus scan now.

Huh, you actually use IE? No wonder you have so many virus problems. :V

[lilboocorsola]

Quote:

Originally Posted by The Morg

Huh, you actually use IE? No wonder you have so many virus problems. :V

Please don't start with this.

[Concept]

We had this argument in ASB TO the other day; the major factor which dictates how secure browsers are is how profitable finding exploits would be which in turn means how popular they are. With Chrome now having a market share almost the size of IE and Firefox combined (depending on who's measuring it varies but this is a good estimate), it's quickly becoming the least secure one.

[Talon87]

Quote:

Originally Posted by Concept

We had this argument in ASB TO the other day; the major factor which dictates how secure browsers are is how profitable finding exploits would be which in turn means how popular they are. With Chrome now having a market share almost the size of IE and Firefox combined (depending on who's measuring it varies but this is a good estimate), it's quickly becoming the least secure one.

Yeah, I didn't want to get involved in that debate since, well, ASB TO and what not, but ... you said some things in that discussion which I didn't agree with and which I feel could potentially lead people astray.

You made the argument that "The more popular the browser, the less safe it is." The reasoning of course being that hackers are motivated to invest their time and energy on projects which hit the greatest number of targets. So obviously you'd rather research how to break (say) Google Chrome than research how to break (say) Amazon Horizon (make-believe). The problem, though, is the nature of the browsers' demographics and install bases, which is to say:

1. Who is using these programs?
2. On which computers are these programs installed, regardless of frequency of usage?

Something with a large install base will prove more popular than something with a small install base, all other things being equal. But all other things are not equal. Consider:

• Windows XP retains a 29% market share of all Windows operating systems.
• But according to Steam demographics, Windows XP only makes up for 6% of their userbase.

How are those facts reconciled? Easy: schools, businesses, and casual computer users. Is Steam installed on your work or school computer? No. Are you playing Steam games at work or during school? Probably not. (There's always that one cocky kid who evades the sysadmin's privileges and installs crazy shit on his school computer account, but aside from him ...) So consider this: while Windows XP might seem like a terrible target from a Steam stats perspective, it's a juicy enough target (over one-quarter of the market) from a raw usage perspective -- and it's a hell of a juicy target if what you're specifically after is small-budget businesses who don't have the money or motivation to overhaul their computers to Windows 7 or 8 and are still running on XP. Or if your target is Casual Ma and Pa who are still running Windows XP and don't know a thing about computer security.

It's a similar situation with web browsers. While most people don't often include Safari in discussions about which web browser they use -- you almost always only hear it framed in terms of IE, Firefox, and Chrome -- Safari has an insane install base thanks to its mandatory inclusion on all iOS devices. That makes it a plenty good target for mischief, especially since you have no say in the matter on devices like non-jailbroken iPhones: you have to use Safari if you want to browse the Internet. Likewise, Internet Explorer may be shat upon by us nerds, and general usage statistics may indicate that it's fallen far behind Google Chrome ... but the reality is that while Google Chrome is only installed on perhaps 50% of PCs, Internet Explorer is installed on all PCs running Windows.

Pulling back to your "the more popular, the less safe" argument, there's a second problem with that way of thinking that needs addressing. And that's the matter of just how on top of the ball the browser's tech team is. Popular or not, if the tech team managing the browser is a lumbering tortoise that takes forever to respond to security breaches, responds in incompetent ways, etc, then that's no good. Vice versa, if the team is highly competent, highly trained, and incredibly on the ball, then you could be using the world's #1 most-used web browser and you still might be safer than you would be with other options. A good example of this would be comparing Google Chrome with Internet Explorer. While I think it's fair to say that Chrome has become a huge target for hackers, I think it's also worth pointing out that Google Chrome's security team is perhaps only rivaled by Firefox's. The analogy you might use is that of a world leader: is he the least safe man in the world (as a target for numerous assassins)? Or is he the safest man in the world (as his every move is monitored by numerous security operatives)? The man who threw his shoe at President Bush managed to do that despite security's best efforts ... but did he manage to shoot him with a firearm? Would he have had an easier time of shooting some generic Iraqi citizen? I see browser security in a similar vein. Google Chrome is like a world leader: highly targeted but rigorously protected. Internet Explorer is more like that generic citizen: perhaps it's not quite as appealing a target, but damn if it's not a right deal easier.

[Raves]

That explains the irritating popups I've been having. Thankfully I run FF so I'm safe enough, but logged outta Skype anyways.

Not that I fucking use the thing, of course...

[Talon87]

Quoting from the Skype forum:

Quote:

Open up your local appdata folder (C:\Users\[username]\AppData\Local) and turn on both hidden files and system files. Go into \Microsoft\Windows\Temporary Internet Files\Content.IE5
Delete all of the folders there (one of them contains a jpg that is the ad, everything will be regenerated as necessary, but as the ads comes from the internet we need to delete the local copy).

Now open up your Hosts file (C:\Windows\system32\Drivers\etc) and add this line:

127.0.0.1 ads1.msads.net

Save (might have to save to the desktop and then move the file) and restart Skype. The ad will not be able to redownload leaving Skype unable to display it.

Notice what he says:

Quote:

one of [the folders] contains a jpg that is the ad, everything will be regenerated as necessary, but as the ads comes from the internet we need to delete the local copy.

It's a shame that he doesn't specify the name of the folder or picture file (so you could know with certainty whether you'd been infected or not), but he is confirming that the malicious advertisement does plant an image file in your hard drive that needs dealing with.

So go deal with it.

[lilboocorsola]

Hrm. I didn't see anything in "Content.IE5" (the folder doesn't even show up in Temporary Internet Files), and I can't seem to edit/save the hosts file either, even when accessing from an admin account. Is it different for Windows 8? Should I even be worried if there's nothing there?

Edit- Okay, fixed the hosts file at least. Should I just delete everything in Temporary Internet Files anyway?

[Talon87]

His directions didn't work for me either (Windows XP), so here was what I had to do:

Part 1. Temp
1. Go to C:\Documents and Settings\[username]\Local Settings\Temp
2. Delete everything there.

Part 2. Temporary Internet Files
1. Go to C:\Documents and Settings\[username]\Local Settings\
2. Manually append "Temporary Internet Files" (sans quotes) to the end of that path
3. Hit Enter, and enter into the folder so secret it doesn't even show up when you have told Windows to show all hidden files and folders -.-
4. Take one of two courses of action:

1. In my case, I have some files there that I don't want deleted just yet, so I manually selected every single file that was last accessed, modified, or anything between January 29, 2014 and the present. I then deleted these files.
2. In other people's cases, if you just want to clear your Temporary Internet Files folder completely, then go for it: delete every last file in there.

I was both astonished and disgusted by how many files that folder contains that were placed there by Skype. An unbelievable percentage, somewhere between 50% to 80%. I know, a rather large window, but I'm saying that absolute minimum it was like 50% Skype files. Insane.

[lilboocorsola]

Did the first one, the second one gave me ""Access is denied" on both local and admin account. Maybe it just doesn't exist on Win8?

[Talon87]

Double post. Forgot to circle back around for Content.IE5. It's the same drill as before.

Part 3. Content.IE5
1. Go to C:\Documents and Settings\[username]\Local Settings\
2. Manually append Temporary Internet Files and hit Enter.
3. Manually append Content.IE5 and hit Enter.

Inside I found six folders and one file. The file is a DAT file named index. Five of the folders report being empty. One folder, named 5Z2189N7, reports containing a single file called v[2].htm which is apparently 36.4 KB in size. I deleted everything in there. EDIT: Well, everything but the DAT file. It won't allow me to. Says it's in use. Seeing as it was created on July 14, 2007 -- probably the day I built this computer -- I believe it.

[DaveTheFishGuy]

Do you have to do all this if you haven't signed into Skype since last night?

[Talon87]

Quote:

Originally Posted by DaveTheFishGuy

Do you have to do all this if you haven't signed into Skype since last night?

According to people in the Skype community forum, the problem first surfaced two days ago (Friday, January 31), not yesterday (Saturday, February 1). So I guess I'd say that if you've been on Skype in the last 60 hours and noticed that a window popped up during your session (either asking you to buy software or else reporting that 500 server error), you should probably do this to try and be safe. It still hasn't been revealed what the malware does, let alone how it infects computers, how you know whether you've been infected or not, etc. The steps listed above seem to be goodwill advice: they don't strike me as being 100% confidently curative.

[DaveTheFishGuy]

Fair. I didn't have any problems with popups but then again I'm anti-virused up to the hilt, will see if I get anything back from a quick scan.

[lilboocorsola]

Found "Content.IE5" under a folder called "Low" in C:\Users\[username]\AppData\Local\Microsoft\Windows\Temporary Internet Files. Deleted everything in there. Do I still need to do step 2?

[Talon87]

Quote:

Originally Posted by lilbluecorsola

Did the first one, the second one gave me ""Access is denied" on both local and admin account. Maybe it just doesn't exist on Win8?

If it's saying access is denied, that would indicate that the folder exists but that you just aren't allowed in. If the folder didn't exist period, you would be given a different error message, I would think. For instance, this is the error message that I get when trying to access a folder that does not exist:

Quote:

Cannot find 'file:///C:/Documents and Settings/mintchocolateicecream/Local Settings/Temporary Internet Files/Content.IE5'. Make sure the path or Internet address is correct.

It doesn't tell me that I am denied access. Rather, it tells me, "I can't find what you asked me for. Are you sure you typed your request in correctly? " The fact that you're being told "ACCESS DENIED! " suggests to me that either:

1. You lack sufficient privileges on your account to access that folder. (In which case you need to ask your brother to take a look at it.)
2. Some malware on your computer doesn't want you going in there and so it has locked you out.

You could probably get to the bottom of this by Googling the error message it gives you, your operating system version, etc. I'm sure other people out there have had the same experience as you and reported it. See what they were told. Maybe it really is as simple as, "LOL! That file path doesn't exist on Windows 8, silly! " and Windows 8 weirdly informs you of non-existent file paths by suggesting they might exist but you're not allowed in. ^^;

Quote:

Originally Posted by lilbluecorsola

Found "Content.IE5" under a folder called "Low" in C:\Users\[username]\AppData\Local\Microsoft\Windows\Temporary Internet Files. Deleted everything in there. Do I still need to do step 2?

I think you should. The line you added to your hosts file mentioned a particular domain name. Well, I see in the screencaps I took of my files (before deleting them) that I had several JavaScript files in my Temporary Internet Files folder from that domain name. Example:

Quote:

dapmsn | https://ads1.msads.net/library/...

Quote:

microsoft.adve... | https://ads1.msads.net/library/...

I also see files with names that are hilariously ambiguous. Could be perfectly safe and ordinary! Could be a lazily-named bit o' hackery! For example, there was an HTML file named "frame-hider". Well, are you hiding frames for good? Or are you hiding frames for evil? It's probably good, but why take the risk? Every last file in your TempIntFiles folder can be deleted. So go for it.

[lilboocorsola]

Quote:

Originally Posted by Talon87

Every last file in your TempIntFiles folder can be deleted. So go for it.

Including the "Content.IE5" folder itself? Says it's a system file.