Proof-of-Concept Trojan using Skype API
Probably most of you have heard about the VoIP software: Skype. This synonym stands for cheap, stable and user friendly voice and video calls. As most security professionals know Skype tries to find its way out of a network using advanced firewall bypass techniques. Skype traffic is encrypted, the Skype binary itself is equipped with anti-reverse-engineering capabilities and of course everything is proprietary and undocumented. In short it is a complete black box and exhibits quite some malware-like behavior.
At the Compass Security Event 2006 Walter Sprenger presented my proof-of-concept Skype Trojan which utilizes Skype’s intelligent communication capabilities as a inside-out channel to connect to the Trojan’s controller. This is achieved using the Skype API which allows third party applications to officially interact with the Skype client software. The applications can e.g. automatically handle incoming chat messages and respond to them. The proof-of-concept Trojan attaches to the Skype API and allows remote control of the Trojan using chat messages. Since chat messages cause the chat windows to pop up the victim could get aware of the remote control. Further analysis on the Skype API suggests that invisible communication could also be possible.
This demonstrates that Skype can be abused for malicious purposes which cannot easily be controlled at the company’s perimeter using standard security components. Measures like white list based software restriction policies on the client computer or Skype-aware network devices have to be adopted to prevent the execution of Skype in a corporate environment. Further details can be found in the sides on pages 25 and 26.