A trojan for Skype

By Jake Edge
September 2, 2009

A recent report about a Skype trojan that could extract voice calls as mp3 files and ship them off to other locations led to an interesting discussion on the Fedora users mailing list. The trojan itself is somewhat unsurprising as there have been persistent rumors about wiretapping back doors in Skype for some time. The trojan is Windows-only, but it does come with most of the source code, which makes it interesting to those who study malware. While not a direct threat to Linux users, it does highlight a number of privacy and security issues to ponder.

Skype is a popular voice over IP (VoIP) application that runs on Linux, Mac OS X, and Windows. Part of its appeal is that there are many users of the free (as in beer) software, so folks can make free phone calls to many of their friends and family. But it is a closed source tool that resists attempts to reverse-engineer its protocol, so there are no interoperable free (as in freedom) equivalents.

Daniel B. Thurman brought up the trojan and wondered if it was an example of the back doors or interception facilities that governments have long been rumored to be pushing for Skype. That set off a thread in which "black helicopters" made a tongue-in-cheek appearance, but there were also more serious postings. Marko Vojinovic asks about whether there are ongoing attempts to reverse-engineer the Skype protocol:

I have a feeling that the majority of Linux users would switch to Ekiga or something else open source, if only it gave them support to communicate with skype peers on the other end. Linux folks (myself included) use skype mainly because all their friends and other contacts also use it, and it is completely impossible to convince them all to go the open source way. But if Ekiga would support the protocol, it would eliminate the need to install or use skype binary itself, while functionality would be preserved. Not to mention better support for sound and video hardware etc.

There are a number of problems with that, as was pointed out, including the likelihood that Skype would change the protocol to cripple interoperability, much as instant messaging companies have done along the way. Roberto Ragusa noted that there have been people who looked at Skype, but they "found that it contains tons and tons of cryptography, obfuscation and countermeasures against debugging or reverse engineering." That is of concern he said because one cannot be sure of exactly what it's doing: "A closed source code like that and with an explicit purpose to build a crypted P2P network bypassing firewalls with every trick possible is something to be nervous about."

Alan Cox had some additional thoughts on reverse-engineering the code: "The person who completely reverse engineers skype probably destroys it. If you can write a skype client [then] the spammers can write skype spam tools as well." He also mentions the "mostly circumstantial" evidence that law enforcement has added intercept facilities to Skype itself. Furthermore, anyone who might be working on the problem has good reason to do it quietly, he said:

I would imagine anyone doing so is keeping fairly quiet - there is big money on offer from the bad guys for skype trojans, intercepts and clients, while anyone on the good side fiddling with it faces jail and [harassment] - a fine example of perverse economic incentives.

So, we have a closed source application, which uses malware-like techniques to obfuscate its functioning, and folks willingly run it on their computers. In some ways, that's no different than any other closed source application, but there are a few differences. Skype, by its very nature, must use the network to send encrypted data to multiple untrusted machines elsewhere. While it may not be compromised by governmental authorities in the standard binary, it is a known target of those entities, and this trojan demonstrates a way that it might be compromised. Overall, it would seem there are a few risks to both security and privacy from that kind of application—more so than a closed source word processor or non-networked game.

Free software solutions, like Ekiga, may be able to overcome some of the shortcomings of Skype. But, if those solutions become popular, they are likely to run afoul of the spammers and scammers that Cox warns about. It's likely to be true of regular and cellular phone service as well, but a warning from "Tim" in the thread is worth repeating:

Moral of the story; don't conduct illegal business over it, don't conduct legal but confidential conversations over it; and if you're in one of those places where criticising the government has nasty repercussions, I wouldn't do that over it, either.

While Skype provides a nice service—without charge in many cases—it does present a bit of a privacy headache. If it can be subverted for wiretapping purposes, it can undoubtedly be subverted for other reasons. Some of those could present security headaches as well. Since we don't really know what the Skype code does when it isn't infected, it will be difficult to determine if its behavior changes in a malicious way. That should be a little worrisome.

Index entries for this article
Security	Internet/Voice over IP (VoIP)

to post comments

A trojan for Skype

Posted Sep 3, 2009 1:51 UTC (Thu) by tetromino (guest, #33846) [Link]

Jake, phrases such as
> Skype, by its very nature, must use the network to send encrypted data to multiple untrusted machines elsewhere
and
> we don't really know what the Skype code does when it isn't infected
and
seem to suggest that there some sort of vulnerability in Skype. There isn't. The trojan will not automatically infect you over Skype; it is a normal Windows malware that relies on gullible users to ignore all warnings, download the file and install it (or on vulnerable web browsers to conveniently install the trojan without user interaction).

Skype protocol

Posted Sep 3, 2009 8:39 UTC (Thu) by job (guest, #670) [Link]

There has been several interesting reverse engineering efforts of Skype. Read the references on the Wikipedia article "Skype protocol".

One of the researchers made an exploit to the protocol, which should scare any administrator because of the firewall-piercing nature of the application. I think the protocol has changed since then, but it gives an insight in how obfuscated it all is.

A trojan for Skype

Posted Sep 3, 2009 11:22 UTC (Thu) by rwmj (subscriber, #5474) [Link] (8 responses)

No one is going to willingly switch to Ekiga and/or SIP, because the software and the SIP protocol SUCK. I'm a computer expert and I couldn't get either to work reliably. You have to tweak dozens of settings, and then it still doesn't work. Epic fail.

Why it's so hard to make a VOIP system that just works I don't know, but Skype did it, and that's why people use it.

Rich.

A trojan for Skype

Posted Sep 3, 2009 16:22 UTC (Thu) by shredwheat (guest, #4188) [Link]

I must agree. Ekiga is too difficult for me to understand. Skype is click and talk (assuming PulseAudio does not interfere on my end)

Ekiga

Posted Sep 3, 2009 16:51 UTC (Thu) by cry_regarder (subscriber, #50545) [Link] (2 responses)

After trying (and finally succeeding on my end) in getting ekiga to work as far as a succesfull connection to the echo server (sip:500@ekiga.net), I now understand why people are angry about pulse and other sound.

I have a bog common HDA intel audio. Q965 chipset. I had to go in to gst-mixer and enable the Microphone (it wanted to enable the Front microphone which I don't use 'cause it has a 60hz hum). Then I had to enable two recording device (Capture and Capture 1). I had to unmute the microphone on Capture which let pulse hear the mike. Then I had to unmute mike on Capture 1 which let non-pulse Alsa hear the mike. I had to disable the Mixer because otherwise the mike was linked to the speakers and instant echo ensued.

I also had to bump Fedora 11 to the 2.6.30 kernel in testing.

Finally everything was working. Then I couldn't get the distant end to be able to connect to ekiga.net from behind their NAT. And I've been working on and with linux since 1994 everyday since 1994 (I even have a freerunner as my daily phone).

I decided to try empathy instead. Not even close to being close to connecting. Tried gossip. Good luck! Linphone? Not a hope.

First time I've come close to crying since I had a double disk failure on my raid 5 last year. (which I fully recovered from with no data loss by the way thanks to Neil Brown and the others on the raid list).

Vent :-)

Cry

Ekiga

Posted Sep 4, 2009 10:31 UTC (Fri) by rmano (guest, #49886) [Link] (1 responses)

Agreed. And moreover, Skype offer a cheap, with clearly published rates, service to call normal landphones all over the world. I'd like a viable open alternative, but I cannot find any.

Ekiga

Posted Sep 4, 2009 14:43 UTC (Fri) by foom (subscriber, #14868) [Link]

There's a *ton* of alternatives for landline call-out and call-in.

Personally I'm using Callcentric.com service with a "hard" phone (e.g. not a computer-based phone)
connected to a Linksys PAP2. But there's certainly many many other choices.

A trojan for Skype

Posted Sep 3, 2009 17:50 UTC (Thu) by droundy (guest, #4559) [Link] (2 responses)

Agreed. I used ekiga for over a year to meet with students I advise, and we never were able to get the audio to be consistently comprehensible, and ended up just chatting on the phone much of the time. We're now using skype, and it works way better. I hate the fact that I'm using nasty proprietary software running a proprietary protocol, but it works, and ekiga doesn't.

A trojan for Skype

Posted Sep 3, 2009 20:31 UTC (Thu) by davide.del.vento (guest, #59196) [Link] (1 responses)

Yes, I hate skype, but ekiga is just terrible and useless. I was able (without much effort) to have it working on my computer and a on a couple of friends' ones. But the voice quality is bad, and the video is painful worst. On the same network skype works just fine (unfortunately, because I hate it!)

A trojan for Skype

Posted Sep 3, 2009 21:46 UTC (Thu) by Cato (guest, #7643) [Link]

This is most likely down to the Global IP Sound codec licensed by Skype, which is highly resistant to packet loss, delivering pretty good quality on a range of connections as well as being the same on all Skype clients. I also find it better than the expensive Nortel VoIP softphone client that I use for work - also SIP based, but the real issue is the codecs.

A trojan for Skype

Posted Sep 4, 2009 9:42 UTC (Fri) by tpo (subscriber, #25713) [Link]

I had similar problems with VoIP SW under Linux and have, as everybody else here, made the rounds and installed every possible Linux VOIP client in the universe. I've settled on Twinkle. In my opinion it's easier to use and to configure than the other clients and also more resilient and tolerant. I'd even go as far as to say that, that I like the software which is in contrast to many of the other clients which were painful.

A trojan for Skype

Posted Sep 3, 2009 11:24 UTC (Thu) by Tet (subscriber, #5433) [Link] (4 responses)

Since we don't really know what the Skype code does when it isn't infected, it will be difficult to determine if its behavior changes in a malicious way. That should be a little worrisome.

Agreed. That said, a decent SELinux policy can prevent it from doing undesireable things on the local box, even if it's infected. It's hard to stop it sending copies of your calls out over the network, though, because skype needs to send data over the network, and SELinux doesn't have an easy way of working out which are legitimate network connections and which aren't.

A trojan for Skype

Posted Sep 3, 2009 17:53 UTC (Thu) by droundy (guest, #4559) [Link] (3 responses)

Also note that a SELinux policy is unlikely to keep skype from sending audio and video even when you aren't on the network... it's not just your calls that might be compromised, but anything you mention (or do) in the presence of a computer running skype. Of course, network usage is likely to give this away, unless a trojan were to store up data and send it during a call...

A trojan for Skype

Posted Sep 4, 2009 20:42 UTC (Fri) by Tet (subscriber, #5433) [Link] (2 responses)

a SELinux policy is unlikely to keep skype from sending audio and video even when you aren't on the network... it's not just your calls that might be compromised, but anything you mention (or do) in the presence of a computer running skype

That's not really true. A decent policy can prevent a rogue skype process from reading files that it has no business reading, so the only things it should be able to transmit is data it already has (e.g. the audio of your call)

A trojan for Skype

Posted Sep 5, 2009 19:25 UTC (Sat) by oak (guest, #2786) [Link] (1 responses)

> so the only things it should be able to transmit is data it already has
(e.g. the audio of your call)

If it's allowed to read the mic for the call, why it couldn't eavesdrop
you always?

A trojan for Skype

Posted Sep 14, 2009 11:11 UTC (Mon) by robbe (guest, #16131) [Link]

> If it's allowed to read the mic for the call, why it couldn't eavesdrop
> you always?

You could probably modify your policy on the fly to allow/deny access to
the microphone device. But I guess soldering a switch to the microphone
cable would be a better UI.

But as an X app it has a lot of means to snarf information, anyway ... or
is X-ACE already sufficiently deployed?

I think the best option today is a VM sandbox. Or a free alternative.

Then what?

Posted Sep 3, 2009 18:57 UTC (Thu) by man_ls (guest, #15091) [Link] (2 responses)

While "Tim"'s advice may be sound and all, I don't know what other solutions are there. Is Ekiga safer for illegal or confidential purposes than Skype? Looking at it from the other point of view, that of law enforcement, is it feasible to get a warrant to eavesdrop on a private communication using Skype, or Ekiga? Even if the police have access to Skype communications, I don't think they want the bad guys (or the rest of us) to know.

Not that I am thinking about terrorists or drug dealers. If I were to run an illegal network I would just use SSH to a central server using private keys kept in USB dongles, plus passwords, and read and write text documents there. Or maybe even a VPN. Much simpler and easier to manage. That shows you that geeks make awful terrorists or drug dealers!

Then what?

Posted Sep 4, 2009 9:56 UTC (Fri) by tialaramex (subscriber, #21167) [Link] (1 responses)

No, Ekiga is much worse, Skype is encrypted. We don't know who has the keys, but it's safe to assume that they're not handing them out like candy, since there are no reported leaks. Ekiga transmits in clear, anyone who can read your IP traffic gets the entire conversation handed to them on a plate.

In theory you can get encrypted SIP. But now you've gone from Skype (your grandmother has it) to Ekiga (your friend running Ubuntu has it) to encrypted SIP (you once met someone who knows a guy that has it) and there's no point having a communication network if no-one you're interested in communicating with is connected to it.

Then what?

Posted Sep 4, 2009 9:57 UTC (Fri) by johill (subscriber, #25196) [Link]

Yeah, zFone seems nice, but I haven't seen a well-integrated implementation for linux yet.

A trojan for Skype

Posted Sep 4, 2009 12:49 UTC (Fri) by mcatkins (guest, #4270) [Link] (1 responses)

Has anyone tried Gizmo's SIP-to-Skype gateway? That claims to allow one to use a SIP Hard/Softphone (assuming it can be made it work :-( ) - and still talk to friends on Skype.

Of course,
1) this turns free calls into paid-for ones (Gizmo charge)
2) Doesn't help with the problems with Ekiga/sound/etc

But it does prove that a gateway is possible.

(Unfortunately the FreeSwitch (and Asterisk?) Skype integration works by talking to a local Skype client, so doesn't really help with the privacy issues.)

Martin

A trojan for Skype

Posted Sep 4, 2009 20:12 UTC (Fri) by paravoid (subscriber, #32869) [Link]

Not the new, official (i.e. Digium) codec for Asterisk that was recently released:

http://www.digium.com/en/products/software/skypeforasteri...