Go Skype, Go!

So I don't know if anyone noticed over the holiday weekend, but on Saturday Skype decided to do something interesting: they, or their affiliate partner EasyBits Media, decided to shove the EasyBits GO game interface down every Windows machine running Skype. Cue millions of people on the Internet asking: "WTH?!” You can get a pretty good idea of what happened using Carbon Black and searching by process (EasyBitsGO.exe) about the time you saw it display on your screen (if you were online and running Skype), or by researching when others stated complaining about it (between 0700-1500 on the 28th) and adjusting your process date range windows accordingly. Fair warning: this might take a while if you don’t bound your date/time tightly.

Now that you found out that it ran, the next question is: "what in the world did it write to my system?” Cb provides you with a pretty good answer if you follow the child processes that spawn from the EasyBitsGO process. I don’t want to reveal too much since this is a neat real-world situation that demonstrates the value of a tool like Cb, but there is no reason to panic. Once you find the parent process information, you can definitively state that Skype was the process that started the associated EasyBitsGO writes, which is important because when this all started Skype forum admins were claiming that this was malware being installed via some other means.

Whether you want to get rid of it on your own box, or if you’re responsible for keeping an enterprise free of unauthorized installations, Cb allows you to see exactly where this unwanted thing is in order to remove it. Since EasyBitsGO was installed via an application that could already be in your white list and doesn't require any additional privileges to install (which is a frightening thing all by itself), your centrally managed white-listing mechanism might have no insight on this secret install: a problem Cb does not suffer from.