Dorkbot malware Skype link was clicked 1 million times

The shortened URL that was coupled with the Skype message “LOL, is this your new profile pic[?]” to spread malware was clicked over 480,000 times within two hours, according to a security researcher.

The URL, compacted using Google's "URL shortener", is still getting a small number of clicks and has racked up over one million in four days, according to Kaspersky Lab threat analyst, Dmitry Bestuzhev.

Bestuzhev used the analytics page of [[xref: http://goo.gl/ |Google’s URL shortener|]] to view how many clicks the original Hotfile link received and where they were made. Most of the clicks came from Russia, followed by northern Europe, the US and Australia.

Nearly half the clicks were generated within the first 48 hours of its release, which means a good portion of recipients of the message — spread between Skype contacts — could have been infected, according to Bestuzhev.

“In just two hours the number of clicks grew up to 484,111 clicks. I’d say most of the people who clicked got infected since the initial Virus Total detection for the malware was only from 2 of the 44 AV engines,” wrote Bestuzhev.

The shortened URL directed potential victims to a “Hotfile” link, which downloaded a ZIP file labelled “skype_06102012_image”. The ZIP contained a malicious executable that installed Dorkbot and a backdoor created using a Java exploit in the Blackhole exploit kit.

One million clicks, however, does not necessarily mean as many infections. Victims would have to run the executable contained within the ZIP to become infected, according to GFI Labs.

GFI last Friday reported another ZIP file containing malware was being distributed across Skype last week that was dated October 2.

One of several threats it contained was a ransomware threat, which encrypts a victim’s files unless a $200 fee is paid within 48 hours for a bogus offence, and US targets victims.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

• Tweet