2006 Skype Trojaner v1.1

18
GLÄRNISCHSTRA SSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL Tel.+41 55-214 41 60 Fax+41 55-214 41 61 [email protected] www.csnc.ch Skype Trojan Wal ter Spr eng er [email protected] © Compass Page 2 Goal g Goal of this presentation g Understand how Skype works g Understand threats with Skype g Show proof of concept trojan using Skype

Transcript of 2006 Skype Trojaner v1.1

Page 1: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 1/18

GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch

Skype Trojan

Walter Sprenger

[email protected]

© Compass Page 2

Goal

g Goal of this presentation

g Understand how Skype works

g Understand threats with Skype

g Show proof of concept trojan using Skype

Page 2: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 2/18

© Compass Page 3

Agenda

1. Introduction to Skype

2. Skype Networking

3. Skype Binary and API

4. Threats with Skype / Demo

5. Blocking Skype

6. Conclusion/Discussion

1

2

3

4

5

6

GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60Fax+41 55-214 41 61

[email protected] www.csnc.ch

Introduction to Skype

1

2

3

4

5

6

Page 3: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 3/18

© Compass Page 5

Introduction

g What is Skype

g A peer-to-peer (P2P) software for cheap calls

g Features:g SkypeOut: Call landline and mobile phones

g SkypeIn: Call Skype users from landline and mobile phones

g Voice Mail: Leave voice messages for offline users

g Chat: Send and receive chat messages

g Video Calling: Transmit audio and video

g File transfers: Send and receive files

g Community: Are your friends online?

g Skypecasts: Conferences for up to 100 users with a moderator

g SkypeSMS: Send short messages to mobile phones

1

2

3

4

5

6

© Compass Page 6

Introduction

g Is Skype a Hype?1

2

3

4

5

6

April 27, 2006: more than 100 million registered users

Skype is not a hype, Skype is a killer application!

Usage statistic from http://en.wikipedia.org/wiki/Skype

Users Online

0

1000000

2000000

3000000

4000000

5000000

6000000

7000000

8000000

   A  u  g

   0   3

   O   k   t   0   3

   D  e  z   0   3

   F  e   b

   0   4

   A  p  r   0   4

   J  u  n

   0   4

   A  u  g

   0   4

   O   k   t   0   4

   D  e  z   0   4

   F  e   b

   0   5

   A  p  r   0   5

   J  u  n

   0   5

   A  u  g

   0   5

   O   k   t   0   5

   D  e  z   0   5

   F  e   b

   0   6

   A  p  r   0   6

   J  u  n

   0   6

   A  u  g

   0   6

Date

   U  s  e  r  s   O  n   l   i  n  e

Page 4: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 4/18

© Compass Page 7

Introduction

g Why is Skype so successful?g Very user-friendly

g Download and installation in 5 minutes

g Registration in 1 minute (only username and password required)g Easy to understand and operate

g Works everywhereg Supported systems: Windows, Mac, Linux

g No problems with NAT devices and firewalls

g Decentralized: no problem with growth

g Very cheapg No costs between

Skype clients

g Long-distance calls withSkypeOut as cheap aslocal calls

1

2

3

4

5

6

© Compass Page 8

Introduction

1

2

3

4

5

6

g Skype Clients

Page 5: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 5/18

© Compass Page 9

Introduction

g Skype Everywhereg Skype invests in FON

g FON – Wireless sharing communityg Network of wireless hotspots

g WLAN router with FON firmware for 5 Euro

g Every FON user installs a WLAN router on his Internet link

g Every FON user can use otherFON user's hotspots

g Goal: biggest WLAN hotspotnetwork worldwide untilend of 2006

g Legal aspectsg Circumvent cellphone registration

g May be illegal in Switzerland

1

2

3

4

5

6

© Compass Page 10

Introduction

g FON Hotspots in Zurich and Bern1

2

3

4

5

6

Page 6: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 6/18

GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch

Skype Networking

1

2

3

4

5

6

© Compass Page 12

Skype Networking

g Skype P2P-Network1

2

3

4

5

6

Skype Clients

Skype Super Nodes

Login Server(Central Server)

Direct connection

Connection oversuper nodes

Page 7: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 7/18

© Compass Page 13

Skype Networking

g Skype Protocolg The protocol is proprietary

g No documentation available from Skype company

g Communication encrypted with 256 bit AESg A super node is a normal Skype client without firewalling,

but with high bandwith and a fast processor.

g Signalisationg Login to Skype network

g Register new users

g Search other users

g Data Transmission

g Communication with other usersg Voice, file, messages, video transmission

1

2

3

4

5

6

© Compass Page 14

Skype Networking

g Encryptiong End-to-end encryption according to Skype

g Public/private key cryptography

g User Registrationg A public/private key pair is created and stored on the client,

but the authentication is only as strong as the user passwordg The username and password hash are stored on the central

server (login server)

g User Identificationg Based on username and password only

1

2

3

4

5

6

Page 8: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 8/18

© Compass Page 15

Skype Networking

g NAT / Firewall – Bypassg Skype requires an active Internet connection

1

2

3

4

5

6

Communication over super nodeand login to Skype network

NATRouter

Internal communicationBut login to Skype networkrequired before

Company User A

Company User B

Super Node Super Node

Home User X Home User Y

Home User Z

© Compass Page 16

Skype Networking

g Skype connection setup1

2

3

4

5

6

Skype ClientsSkype SuperNodes

BlockingDevice

UDP Port 33033 (UDP hole punching)

TCP Port 33033

TCP Port 80

TCP Port 443

Proxy CONNECT: TCP Port 443

Read proxy configurationof installed browsers

Page 9: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 9/18

GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch

Skype Binary and API

1

2

3

4

5

6

© Compass Page 18

Skype Binary and API

g Skype is free, but not Open Source

g Protection against Static Analysesg Binary is encrypted and is decrypted only in memory

g Memory dumping is not possible because beginning of thecode is erased in memory

g Import table is replaced by new import table duringdecryption

g Different checksum routines are run randomly and terminateprocess if checksum fails

g Pointers are obfuscated through computation

g Integrity checked with cryptographic signature

1

2

3

4

5

6

Page 10: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 10/18

© Compass Page 19

Skype Binary and API

g Protection against Dynamic Analysesg Detects if SoftIce is present on system

g Checksum checks identify software breakpoints

g Timing is measured to test if process is debuggedg Misuse exception handler during normal program flow,

modify memory addresses/registers and continue programexecution

g Skype is a complete Blackboxg Why don't we get any documentation about Skype internals

and Skype networking protocol?

g What is it that Skype wants to hide?

1

2

3

4

5

6

© Compass Page 20

Skype Binary and API

g Skype API

g Skype asks the user, if an application is allowed to use theSkype API

1

2

3

4

5

6

A

P

I

Headset Driver

Adress Book

Browser Toolbar

Trojan Program

Page 11: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 11/18

GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch

Threats with Skype

1

2

3

4

5

6

© Compass Page 22

Threats with Skype

g Bypass Firewallg Skype does not work without connection to the Internet

g Configuration of browsers is read in order to use thecorporate proxy for tunneling packets to the Internet. Theprogram uses inside-out attack patterns

g Blocking Skype is not trivial. No recommendations are given

by the Skype companyg A vulnerability in Skype allows an attacker to access internal

workstations

g A trojan program could misuse Skype to communicate withthe attacker in the Internet

g Encrypted Connectionsg It is not possible to inspect traffic generated by Skype

g Files can be transferred into or out of a company withoutbeing able to inspect the files

g

No virus scanning on file transfers on gateway possible

1

2

3

4

5

6

Page 12: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 12/18

© Compass Page 23

Threats with Skype

g Unknown Software – Complete Blackboxg A program that hides its internas is installed on corporate

workplaces. The software may contain a backdoor, malware

or trojang No documentation how encryption works

g Is it really end to end or are there possibilities to decrypt theconversations or data transfers?

g Is it really good cryptography or only security by obscurity? Areview has been conducted by Berson who was paid by Skype

g Corporations can not configure or harden Skype client anddefine what features are allowed

g Skype can be installed with minimal user privileges

g Unverified Identities

g Every Skype client trusts other Skype clientsg Any user can register with any name

1

2

3

4

5

6

GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60Fax+41 55-214 41 61

[email protected] www.csnc.ch

Demo Skype Trojan"Proof of Concept"

1

2

3

4

5

6

Page 13: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 13/18

© Compass Page 25

Demo Skype Trojan

Hacker VictimPerimeterSecurity

Hacker sends Trojan program byemail, CD-ROM, web download orSkype file transfer to victim andmotivates him to start it

Hacker sends command in CHAT message

Victim startsTrojan

Trojan registersto Skype client

Trojan executescommandResult is sent to Hacker in CHAT

message

1

2

3

4

5

6

Concept and implementation by Jan P. Monsch, Compass Security AG

© Compass Page 26

Demo Skype Trojan

g Demo Skype Trojan"Proof of Concept"

A

P

ITrojan Program

1

2

3

4

5

6

Page 14: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 14/18

GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch

Blocking Skype

1

2

3

4

5

6

© Compass Page 28

Blocking Skype

g Blocking Skype

g Block direct traffic through firewall

g Block CONNECT on web proxy for numeric IP addresses

g

Use P2P blockers like PRX from Ipoque

g Cisco Network-Based Application Recognition (NBAR)(Cisco IOS version >= 12.4 (4) T )

g Use software restriction policies on corporate workstations.Use white listing and not black listing.

1

2

3

4

5

6

Page 15: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 15/18

© Compass Page 29

Blocking Skype

g Inspect IP header of incoming SSL key-exchange packets withpacket filter

g 0x160301 means: client-key-exchange SSL version 3.1

g 0x170301 is not a standard response packet

g Block all incoming packets with a header of 0x170301

Login Server(Central Server)

Skype Client

0x16030100

0x17030100

1

2

3

4

5

6

GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60Fax+41 55-214 41 61

[email protected] www.csnc.ch

Conclusion

1

2

3

4

5

6

Page 16: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 16/18

© Compass Page 31

Conclusion

g Conclusion

g Skype is a cool application, very useful and easy to use.We like it.

g We do not recommend to use Skype incorporate environments.

1

2

3

4

5

6

GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60Fax+41 55-214 41 61

[email protected] www.csnc.ch

Discussion

1

2

3

4

5

6

Page 17: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 17/18

© Compass Page 33

References

g References

g Skype: www.skype.com

g FON community: http://www.fon.com/

g Silver Needle in the Skype (Bondi, Desclaux)http://www.secdev.org/conf/skype_BHEU06.pdf 

g Analyses of the Skype Peer-to-Peer … (Baset, Schulzrinne)http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf 

g An analysis of Skype VoIP application for use in a corporateenvironment (Bergström)http://www.geocities.com/bergstromdennis/Skype_Analysis_1_3.pdf 

g Skype Security Evaluation (Berson)

http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf 

© Compass Page 34

References

g References

g IPOQUE Webpage (Ban P2P Traffic)http://www.ipoque.com/

g Full Disclosure: Blocking Skypehttp://lists.grok.org.uk/pipermail/full-disclosure/2005-

November/038646.htmlg Cisco: How to block Skype

http://ciscotips.wordpress.com/2006/06/07/how-to-block-skype/

g Block Skype with Packet-Filterhttp://www1.cs.columbia.edu/~salman/skype/

Page 18: 2006 Skype Trojaner v1.1

8/3/2019 2006 Skype Trojaner v1.1

http://slidepdf.com/reader/full/2006-skype-trojaner-v11 18/18

© Compass Page 35

Abbreviations

g NAT: Network Address TranslationPAT: Port Address Translation

g P2P: Peer-to-Peer

g API: Application Programming Interface

g AES: Advanced Encryption Standard

g WiFi/WLAN: Wireless Network

g FON: Wireless sharing community

g SSL: Secure Sockets Layer