Security Watch | Matt Hines » Bubbles the worm adds keylogger

September 24, 2007 | Comments: (0)

Bubbles the worm adds keylogger

TAGS: Security

As the so-called Bubbles worm continues to wind its way across the Web, passing itself along via the contact lists and chat feature of people's Skype VoIP calling software, researchers have now isolated a far more devious iteration of the virus.

According to experts working on the SpywareGuide blog -- which is run by security vendor FaceTime Communications -- one new version of the threat has moved it from nuisance stage -- it previously posted the "Bubbles" screensaver in Windows onto affected users' machines -- to the nasty stage -- adding a keystroke logging program.

As another twist on the attack, the latest version of Bubbles also appears to take aim at users of the Runescape massive online multi-player game, one that is known to be popular among younger users, specifically teens.

Now, most of you enterprise security readers may think that means you don't have to worry, but it's an interesting bit of social engineering that could easily be used to create subsequent versions that might be aimed at professionals.

You should also consider that people in your company much older than teens may already be playing such games.

(Am I the only one reading this who knows otherwise normal, adult people who need a trip to Worlds of Warcraft anonymous?)

Anyway, the trick displayed by Bubbles -- aka Ramex, Skiki or Pykspa -- adds to its existing ability to shut down a PC's anti-virus defenses, a pretty neat attack on its own. In addition to dropping the keylogger, it watches for PCs running Runescape and attempts to steal log-in data.

So, what if someone did the same thing for LinkedIn, or Salesforce.com or something? Now you get the idea.

Basically, it doesn't matter if you're a gamer or not if you get the virus, because according to the researchers: "it logs everything the victim does on the infected PC, storing all logged information to a file in the system32 directory called syswinf32.dll."

Fun, fun. And: "It shows applications that have run, any action taken within the application, any text typed, and any Web sites visited."

Then: "Now that it's effectively stealing every piece of information on the victim PC it's time for the worm to spread to every Skype contact."

Nice.

This is proof positive that something like Bubbles -- believed to be create by a group of young hackers who identify themselves as "Youngsters Against McAfee" (YAM) -- can be quickly and easily manipulated into something much worse, and something that can be used to attack everyone from children to adults.

And while this one only targets the IM chat feature in Skype, most security researchers are saying "stay tuned" when it comes to the development and distribution of more sophisticated threats that attack VoIP itself.

Now ask yourself, is anyone in your company using VoIP software, and what have you done to secure it?

Posted by Matt Hines on September 24, 2007 02:34 PM

RATE THIS ARTICLE: