Earlier this week, I received a phone call via Skype on my laptop, the caller’s ID was “dralerthelpzc8” as in Dr Alert Help ZC8. The voice on the other end was automated, computerized and otherwise non-human, and alerted me that I had a virus that affects Windows Vista, Windows XP and Windows 7 and that I needed to visit a website to download an update. (This is somewhat similar to the situation where a live person calls and purports to being a Microsoft employee and wants to help you clean your computer. We want to point out that no Microsoft employee would ever call you in an unsolicited manner.)

I found the mystery Skype call odd on two accounts – one, I work for a security company that develops antimalware security software, and two, my Skype settings were initially set to not display if I’m online. Apparently my privacy settings had no effect on if I received a random call. More on that later.

After some checking around various forums about this ‘helpful’ (not!) voice message alert, I discovered that many people in the Skype community have also received similar phone calls. There were a lot of references to “scam” and “rogue AV scanners” so my gut feeling was not too far off at all. I did find some other forums that included screen shots that indicated a tell-tale sign that indeed, the referenced site distributed rogue software.

According to IP records, the site mentioned in the automated call (sos**.com, obfuscated intentionally) is listed as belonging to ASN 4134, aka CHINANET-BACKBONE, which has a long list of IP addresses known to distribute malicious code. I attempted to visit the site; however, it was already offline, returning an HTTP 404. There was a cached view available and it resembled a version of a fake scanner web page:

 

cached page sos**.com
Image 1 – cached page sos**.com

 

One forum displayed a screen shot, captured in March, that listed a system tray dialog that looked vaguely familiar. Below is a copy of the message text:

 

Warning errors detected

Click here to view errors list.
Remove this errors as soon as possible to prevent
data lost and privacy information exposure

 

This error message was also used by Trojan:Win32/FakeSpyguard in 2008. The forum mentioned that clicking on the system tray message redirects the web browser to an online purchasing site (also offline) where you can enter a CC number to purchase the (presumed to be) rogue malware.

Reviewing the sequence of events, I decided I would make changes to my Skype account to prevent future spam phone calls of this nature, for instance:

  • select ‘Allow calls from people in my Contact list only’
  • select ‘Show that I have video to people in my Contact list only’
  • select ‘Automatically receive video and screen sharing from people in my Contact list only’
  • select ‘Allow IMs from people in my Contact list only’
  • unselect ‘Allow my online status to be shown on the web’


Skype privacy settings
Image 2 – Skype privacy settings


For more articles on Skype security, visit this link on the Skype product site:
http://www.skype.com/intl/en-us/security/

- Dan Nicolescu & Patrick Nolan, MMPC