The T9000 backdoor trojan will take snapshots of Skype users.
The T9000 backdoor trojan will take snapshots of Skype users.

Palo Alto Networks researchers spotted a new, more complex backdoor trojan that is targeting Skype users and which can identify and evade the security software found on the victim's computer.

Palo Alto's Josh Grunzweig and Jen Miller-Osborn, part of the company's Unit 42 research team, dubbed the backdoor T9000 as it is a newer variant of the T5000 backdoor. The researchers noted in a blog post that the T9000's primary function is to gather information on the victim by capturing encrypted data, take screenshots of specific applications

One way the T9000 differs from other backdoor trojans is by being more complicated, using a multi-stage installation program and it has a list of 24 security software products that it checks for during installation enabling the malware to avoid detection.

“The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community,” the researchers wrote in the blog.

The primary target for the T9000 has been large organizations, Grunzweig and Osborn said. One reason for this could be the heavy adoption of Skype among businesses that see the face-to-face video software as a useful tool, said Tim Erlin, Tripwire's director of security and risk strategy.

“Users may think of Skype as a valuable channel for exchanging information, but that user value translates into profit for cyber attackers,” he said to SCMagazine.com in an email Monday.

Those Skyping with an infected computer may also find themselves being viewed from afar as the researchers found the trojan periodically snaps images during video calls and just to cover all its bases T9000 also hijacks audio calls storing them as .wav files.

When decrypted, we can see that the malware periodically takes images of the video calls. Audio calls are stored as .wav files.