Skype Trojan: Much ado about nothing?

Security experts are becoming increasingly concerned about voice over Internet protocol (VoIP) threats. So when researchers came across a Trojan horse that tries to penetrate the popular Skype program, it was bound to get plenty of headlines.

But some security bloggers aren't so sure this particular malware is worth the hype.

Websense Inc. initially raised the red flag in its blog, warning that Skype users may receive a message asking them to download a file containing a password-stealing Trojan. While other security vendors entered the fray with their own alerts, some -- particularly F-Secure Corp. and CA¬ -- offered a milder assessment of the threat.

"There is something spreading on Skype, but only in limited numbers," F-Secure Corp. Chief Research Officer Mikko Hypponen wrote in the company's blog. "There is no massive outbreak going on. It is not exploiting a vulnerability in Skype, but simply sending chat messages asking you to download and run the infected executable."

CA Senior Researcher Hamish O'Dea wrote in his company's blog that the Trojan is capable of stealing passwords, credit card numbers and other sensitive information. But it appears to need the help of the user in order to spread. Calling it a hyped Trojan that is relatively harmless, O'Dea cautioned users of mistaking the Trojan with a separate, older Skype worm.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected]. Recent columns: Schneier: UCLA breach barely newsworthy Zero-Day Tracker a hit, but IT shops need better strategy Oracle answers its security critics

Pete Cashmore, keeper of Mashable, a blog about social networking programs, acknowledged that he received a copy of the malware.

"Since I have about 300 friends on Skype, it was pretty likely that I'd be sent the file," he wrote. "In fact, the dialog to download sp.exe started to arrive about a week ago." But he added that users must manually click a button to get infected, and that tech savvy users would know better.

Skype expert Andrew Hansen, owner of Virtual Communications Ltd, wrote in his blog that all the chatter about the Skype malware is "complete FUD," or fear, uncertainty, and doubt.

"There are several reports … on a Skype-based worm," he wrote. "This is complete and utter nonsense … Skype, much like Windows' built-in firewall, forces users to make a decision on whether or not to allow a program to access the Skype API. If you didn't install an application that is supposed to work with Skype there is no way to hijack the IM channel in Skype."

The Skype blog acknowledged the malware's existence, but sought to assure users that the threat is minimal. Effective Dec. 20, sites distributing the malware had been taken offline, "effectively stopping further spread of the malware," the blog said.

Maybe the threat has been overly hyped. But that's no cause for people to dismiss the wider concerns that security experts have expressed about VoIP.

Stephen Northcutt, director of training and certification at the SANS Institute, said in a recent interview that VoIP presents a significant security risk.

"If I had my way, I would have the creators of VoIP stop everything and redesign this with security in mind from the get-go," he said.

Seemingly lightweight threats like the Skype Trojan are usually the bad guys' way of experimenting with new attack vectors. There could be more damaging attacks in the future, and IT administrators would be wise to prepare for them.

At the least, the Skype Trojan should serve as a wake-up call.