Beware Skype users! Backdoor “T9000” is spying on you!

PaloAlto Networks found a new backdoor, which is targeting famous application “Skype”. The name of the backdoor is T9000 and this backdoor is capable to take screenshots of users system. It can also steal files and can record conversations of skype. According to security experts, this backdoor is look like T5000 backdoor. May be this is a hybrid version of T5000 backdoor which was detected by experts two years ago.

According to a blog post of PaloAlto network, This backdoor T9000 have all the basic functionality like other backdoors but it has a special feature due to this this backdoor can take screenshots of encrypted data of infected system. This backdoor is able to change the mechanism and functionality of approximately 25 security products. It means this backdoor can change the working mechanism of Antivirus tools. The criminals behind this backdoor are mainly targeting organizations of United States.

This backdoor comes to action, when victim of this backdoor open a RTF file. This file have Vulnerabilities “CVE-2012-1856” and “CVE-2015-1641” and exploits are available for these vulnerabilities. Coders of this backdoor are controlling this backdoor through a Command and Control (C&C) server. When the backdoor enters into a system, its first step is to collect the important information of system and send it to the C&C server. By using this information, coders of this backdoor sends commands and instruction to the backdoor.

This backdoor is using mainly three plugins which are as following:

1. qhnj,dat

2. tyeu,dat

3. vnkd.dat

Before sending information to C&C server this backdoor checks the security techniques used by system and modify their working mechanism. This backdoor can scan the security products like Avira, Rising, Qihoo 360, Tencent, Filseclab, Gdata, AVG, panda, Trendmicro, Micropoint, McAfee, Dr. Web, Kingsoft, Bitdefender, Kaspersky and many more. It has capability to scan almost every security product.

All the three plugins are coded by programmers for doing their jobs individually. According to the security researchers of PaloAlto, “tyeu.dat” plugin is spying on the “Skype” conversation,“vnkd.dat” is stealing information and files from the system and the third plugin “qhnj.dat” is controlling the local file system.

Source: Security affairs

â€‹