Security Social Media

This Trojan Malware Might Be Recording Your Skype Conversations

Philip Bates 13-02-2016

If you’ve got Skype, you’ll want to know about the Trojan T9000.


It’s malware that records your conversations, both video-calls and text messaging, and is virtually undetectable to security suites. And because it’s a Trojan What Is The Difference Between A Worm, A Trojan & A Virus? [MakeUseOf Explains] Some people call any type of malicious software a "computer virus," but that isn't accurate. Viruses, worms, and trojans are different types of malicious software with different behaviors. In particular, they spread themselves in very... Read More , you won’t even know about it.

But it’s actually the latest version of a previous threat detected in 2013 and 2014. So what does this update mean for you? How does it install itself? And what can you do about it?

What Is the T9000 Trojan?


The T9000 Trojan provides backdoor access to your private information, automatically capturing encrypted messages, taking screenshots, recording audio files and documents sent via Skype.

The really worrying thing about it is that its simple code is smart enough to recognize and evade 24 different security suites 4 Things to Consider When Buying a Security Suite McAfee, Kaspersky, Avast, Norton, Panda - all big names in online security. But how do you decide which to choose? Here are some questions you need to ask yourself when purchasing anti-virus software. Read More that might be running on your system upon its own installation. This includes big names like BitDefender Bitdefender Total Security 2016 Giveaway; Parrot Bebop Quadcopter with Skycontroller Bundle! With Bitdefender Total Security 2016 now available, we take a look at how it improves on the previous release, whether it deserves its position at the top of the pile of online security suites for... Read More , Kaspersky, McAfee, Panda, TrendMicro, Norton, and AVG.


Even worse, you’re the one who’s accepted the Trojan. The problem is, many of us have clicked a download without knowing quite what it is, especially on work computers when you think it’s something specifically to do with a job. Indeed, this is exactly the actor vector veing used so far. Palo Alto Networks, who identified the malware, say:

“We have observed T9000 used in multiple targeted attacks against organizations based in the United States. However, the malware’s functionality indicates that the tool is intended for use against a broad range of users.”

The T9000 was apparently distributedthrough a spear phishing campaign email to companies in the USA. These emails typically masquerade as an individual or firm you know, encouraging you to download an attachment, which in truth is dangerous How to Spot Unsafe Email Attachments: 6 Red Flags Reading an email should be safe, but attachments can be harmful. Look for these red flags to spot unsafe email attachments. Read More , and utilises vulnerabilities.

This malware, however, has a multi-installation process that checks whether it’s being scanned by security products 7 Online Security Suites You Can Try Free Today There are several paid security suites to choose from, so how do you decide which is best? Here we look at seven of the best online security suites that you can try for free… Read More at every stage then customizes itself in order to sidestep this detection. Its creators really have gone above and beyond to avoid being found out. (This is a more advanced version of the T5000, which was revealed to have targeted the automotive industry, rights activists, and Asia-Pacific Governments in 2013 and 2014.)

Then the Trojan sits silently on your PC and collects juicy information, sending it automatically to the central servers of the hackers.


Why’s It Doing This? Intelligence!


Josh Grunzweig and Jen Miller-Osborn, researchers at Palo Alto Networks who identified the Trojan, say they uncovered a directory labelled “Intel” on the system of a T9000 victim. And that’s its whole purpose: collect a range of personal details on a victim.

The aim of all hackers is the same: leverage in order to obtain financial gain. This is no different.

The T9000 aims to capture monetary data, trade knowledge, intellectual property, and personal information including usernames and passwords.


You can’t underestimate how important your private data is: even though Personally Identifiable Information (PII) like your name, address, cell number, and date of birth can be sold on the Dark Web Here's How Much Your Identity Could Be Worth on the Dark Web It's uncomfortable to think of yourself as a commodity, but all of your personal details, from name and address to bank account details, are worth something to online criminals. How much are you worth? Read More for surprisingly small amounts, just imagine if a hacker hit the jackpot and gained a whole stash of personal information!

If the T9000 were used to exploit medical institutions 5 Reasons Why Medical Identity Theft is Increasing Scammers want your personal details and bank account information – but did you know that your medical records are also of interest to them? Find out what you can do about it. Read More , that would be particularly concerning.

Though it’s only been exposed as targeting companies, the Trojan could be utilised elsewhere to similar effect – namely, home PCs. For all we know, that’s already how it’s being used. It would certainly still acquire private data, but a further warning must go to anyone using Skype for NSFW chats.

We’ve seen how the so-called “Celebgate” ruined reputations How A "Minor" Data Breach Made Headline News & Ruined Reputations Read More and caused major ripples on the Internet, but you don’t have to be in the public eye to be vulnerable. The Snappening, in which the images of an alleged 20,000 Snapchat users were leaked The Snappening: Hundreds of Thousands of Snapchats May Have Been Leaked Read More online, is a prime example of this.


The abhorrent practise dubbed “sextortion” involves a victim being blackmailed into surrendering money or further adult material; otherwise, whatever content a hacker already has on him or her is released online.

It’s an increasingly-widespread concern, and has even evolved to take further control of the victim Sextortion Has Evolved And It's Scarier Than Ever Sextortion is an abhorrent, prevalent blackmailing technique targeting young and old, and is now even more intimidating thanks to social networks like Facebook. What can you do to protect yourself from these seedy cybercriminals? Read More by tricking them into downloading malware that collects details of family and friends. This allows direct threats of leaking the material to those who the victim might seek solace with.

What Can You Do About It?


According to Palo Alto Networks, the security suites The 5 Best Free Internet Security Software for Windows Need antivirus, anti-malware, and real-time security? Here are the best free internet security software for Windows. Read More the T9000 checks for include the following big names:

  • Sophos
  • Comodo
  • Norton
  • AVG
  • McAfee
  • Avira
  • BitDefender
  • Kaspersky

In addition, it also adapts to these less-well-known security solutions: INCAInternet, DoctorWeb, Baidu, TrustPortAntivirus, GData, VirusChaser, Panda, Trend Micro, Kingsoft, Micropoint, Filseclab, AhnLab, JiangMin, Tencent, Rising, and 360.

If you’re an average user, you probably have one of those running. But don’t panic.

Here’s the most important thing: beware any Rich Text Format (RTF) files in your email inbox. Those used to deliver the T9000 Trojan take advantage of the CVE-2012-1856 and CVE-2015-1641 vulnerabilities in Microsoft Office software. Meanwhile, keep your eyes open for any Windows request concerning “explorer.exe”. You should be alerted of this when you open Skype with a simple message asking for your permission.

Don’t open it. Deny access.

Otherwise, you should always abide by good downloading practises, whether you’re at work or at home. Learn how to spot a questionable email How to Spot Unsafe Email Attachments: 6 Red Flags Reading an email should be safe, but attachments can be harmful. Look for these red flags to spot unsafe email attachments. Read More , and apply those lessons no matter who you’re supposedly contacted by. And ensure you’re using Skype in the most secure and private way Use These Skype Privacy Settings to Secure Your Account Is your Skype account secure? Do you have the best privacy settings configured on your desktop or mobile Skype app? We look at how to secure your account when using the popular VOIP service. Read More possible.

As businesses are at the moment largely under attack, firms need to educate their staff in the latest security measures. If you’re an employer, alert employees of this vulnerability.

What Else Can Be Done?

Be careful about what information you’re sharing on Skype. If it’s sensitive information, maybe the messenger service isn’t the best place to exchange that sort of data. Remember, those infecting PCs with malware are also hoping to harvest intellectual property and trade secrets.

Skype has assured the press that they’re looking into the T9000 Trojan and its implications.

But what measures are you taking? What tips should businesses give to their staff? Let us know your thoughts below.

Image Credits: scene of the trojan war by Xuan Che; System Lock by Yuri Samoilov; and New Webcam by Hannaford [No Longer Available].

Related topics: Skype, Trojan Horse.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Yourself
    August 24, 2017 at 1:58 am

    "The aim of all hackers is the same: leverage in order to obtain financial gain"


    In fact, decades ago, I had at one time, full access to more than half of all home PCs in existence.

    I did indeed scour them for something I was looking for, but not money. Couldn't care less about money.

  2. Anonymous
    February 15, 2016 at 6:28 pm

    Is there any remedy for this? Can I scan if I have the malware? Does having a folder called Intel indicate anything?

  3. Anonymous
    February 14, 2016 at 1:44 pm

    "Those used to deliver the T9000 Trojan take advantage of the CVE-2012-1856 and CVE-2015-1641 vulnerabilities in Microsoft Office software. "
    What is Microsoft doing about fixing those vulnerabilities? Are they responding with their usual glacial speed?

  4. Anonymous
    February 14, 2016 at 12:16 pm

    Just saying, you should have mentioned that it is for Windows...unless there are other operating systems targeted by this trojan.

    • Anonymous
      February 14, 2016 at 1:48 pm

      Haven't you realized by now that operating systems other than Windows are an afterthought? :-)

    • Philip Bates
      March 31, 2016 at 6:33 pm

      Sorry, that's a good point. I admit, my mind automatically tunes into Windows because that's what I use: it's not a deliberate oversight.

  5. Evan
    February 14, 2016 at 5:30 am

    I don't see Avast on the list. Does that mean that Avast might catch it?

    • Philip Bates
      February 14, 2016 at 11:55 am

      Good question. If we go by Palo Alto's research alone, it's doesn't appear to be checked by the Trojan, but that does seem a stupid oversight if correct. Unfortunately, as Avast hasn't commented on the T9000, it's very hard to say either way, I'm afraid.

  6. Paul Harris
    February 13, 2016 at 10:27 pm

    Don't know who it is......DELETE