2006 Skype Trojaner v1.1
-
Upload
research-guy -
Category
Documents
-
view
217 -
download
0
Transcript of 2006 Skype Trojaner v1.1
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 1/18
GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Skype Trojan
Walter Sprenger
© Compass Page 2
Goal
g Goal of this presentation
g Understand how Skype works
g Understand threats with Skype
g Show proof of concept trojan using Skype
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 2/18
© Compass Page 3
Agenda
1. Introduction to Skype
2. Skype Networking
3. Skype Binary and API
4. Threats with Skype / Demo
5. Blocking Skype
6. Conclusion/Discussion
1
2
3
4
5
6
GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 61
[email protected] www.csnc.ch
Introduction to Skype
1
2
3
4
5
6
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 3/18
© Compass Page 5
Introduction
g What is Skype
g A peer-to-peer (P2P) software for cheap calls
g Features:g SkypeOut: Call landline and mobile phones
g SkypeIn: Call Skype users from landline and mobile phones
g Voice Mail: Leave voice messages for offline users
g Chat: Send and receive chat messages
g Video Calling: Transmit audio and video
g File transfers: Send and receive files
g Community: Are your friends online?
g Skypecasts: Conferences for up to 100 users with a moderator
g SkypeSMS: Send short messages to mobile phones
1
2
3
4
5
6
© Compass Page 6
Introduction
g Is Skype a Hype?1
2
3
4
5
6
April 27, 2006: more than 100 million registered users
Skype is not a hype, Skype is a killer application!
Usage statistic from http://en.wikipedia.org/wiki/Skype
Users Online
0
1000000
2000000
3000000
4000000
5000000
6000000
7000000
8000000
A u g
0 3
O k t 0 3
D e z 0 3
F e b
0 4
A p r 0 4
J u n
0 4
A u g
0 4
O k t 0 4
D e z 0 4
F e b
0 5
A p r 0 5
J u n
0 5
A u g
0 5
O k t 0 5
D e z 0 5
F e b
0 6
A p r 0 6
J u n
0 6
A u g
0 6
Date
U s e r s O n l i n e
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 4/18
© Compass Page 7
Introduction
g Why is Skype so successful?g Very user-friendly
g Download and installation in 5 minutes
g Registration in 1 minute (only username and password required)g Easy to understand and operate
g Works everywhereg Supported systems: Windows, Mac, Linux
g No problems with NAT devices and firewalls
g Decentralized: no problem with growth
g Very cheapg No costs between
Skype clients
g Long-distance calls withSkypeOut as cheap aslocal calls
1
2
3
4
5
6
© Compass Page 8
Introduction
1
2
3
4
5
6
g Skype Clients
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 5/18
© Compass Page 9
Introduction
g Skype Everywhereg Skype invests in FON
g FON – Wireless sharing communityg Network of wireless hotspots
g WLAN router with FON firmware for 5 Euro
g Every FON user installs a WLAN router on his Internet link
g Every FON user can use otherFON user's hotspots
g Goal: biggest WLAN hotspotnetwork worldwide untilend of 2006
g Legal aspectsg Circumvent cellphone registration
g May be illegal in Switzerland
1
2
3
4
5
6
© Compass Page 10
Introduction
g FON Hotspots in Zurich and Bern1
2
3
4
5
6
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 6/18
GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Skype Networking
1
2
3
4
5
6
© Compass Page 12
Skype Networking
g Skype P2P-Network1
2
3
4
5
6
Skype Clients
Skype Super Nodes
Login Server(Central Server)
Direct connection
Connection oversuper nodes
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 7/18
© Compass Page 13
Skype Networking
g Skype Protocolg The protocol is proprietary
g No documentation available from Skype company
g Communication encrypted with 256 bit AESg A super node is a normal Skype client without firewalling,
but with high bandwith and a fast processor.
g Signalisationg Login to Skype network
g Register new users
g Search other users
g Data Transmission
g Communication with other usersg Voice, file, messages, video transmission
1
2
3
4
5
6
© Compass Page 14
Skype Networking
g Encryptiong End-to-end encryption according to Skype
g Public/private key cryptography
g User Registrationg A public/private key pair is created and stored on the client,
but the authentication is only as strong as the user passwordg The username and password hash are stored on the central
server (login server)
g User Identificationg Based on username and password only
1
2
3
4
5
6
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 8/18
© Compass Page 15
Skype Networking
g NAT / Firewall – Bypassg Skype requires an active Internet connection
1
2
3
4
5
6
Communication over super nodeand login to Skype network
NATRouter
Internal communicationBut login to Skype networkrequired before
Company User A
Company User B
Super Node Super Node
Home User X Home User Y
Home User Z
© Compass Page 16
Skype Networking
g Skype connection setup1
2
3
4
5
6
Skype ClientsSkype SuperNodes
BlockingDevice
UDP Port 33033 (UDP hole punching)
TCP Port 33033
TCP Port 80
TCP Port 443
Proxy CONNECT: TCP Port 443
Read proxy configurationof installed browsers
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 9/18
GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Skype Binary and API
1
2
3
4
5
6
© Compass Page 18
Skype Binary and API
g Skype is free, but not Open Source
g Protection against Static Analysesg Binary is encrypted and is decrypted only in memory
g Memory dumping is not possible because beginning of thecode is erased in memory
g Import table is replaced by new import table duringdecryption
g Different checksum routines are run randomly and terminateprocess if checksum fails
g Pointers are obfuscated through computation
g Integrity checked with cryptographic signature
1
2
3
4
5
6
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 10/18
© Compass Page 19
Skype Binary and API
g Protection against Dynamic Analysesg Detects if SoftIce is present on system
g Checksum checks identify software breakpoints
g Timing is measured to test if process is debuggedg Misuse exception handler during normal program flow,
modify memory addresses/registers and continue programexecution
g Skype is a complete Blackboxg Why don't we get any documentation about Skype internals
and Skype networking protocol?
g What is it that Skype wants to hide?
1
2
3
4
5
6
© Compass Page 20
Skype Binary and API
g Skype API
g Skype asks the user, if an application is allowed to use theSkype API
1
2
3
4
5
6
A
P
I
Headset Driver
Adress Book
Browser Toolbar
Trojan Program
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 11/18
GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Threats with Skype
1
2
3
4
5
6
© Compass Page 22
Threats with Skype
g Bypass Firewallg Skype does not work without connection to the Internet
g Configuration of browsers is read in order to use thecorporate proxy for tunneling packets to the Internet. Theprogram uses inside-out attack patterns
g Blocking Skype is not trivial. No recommendations are given
by the Skype companyg A vulnerability in Skype allows an attacker to access internal
workstations
g A trojan program could misuse Skype to communicate withthe attacker in the Internet
g Encrypted Connectionsg It is not possible to inspect traffic generated by Skype
g Files can be transferred into or out of a company withoutbeing able to inspect the files
g
No virus scanning on file transfers on gateway possible
1
2
3
4
5
6
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 12/18
© Compass Page 23
Threats with Skype
g Unknown Software – Complete Blackboxg A program that hides its internas is installed on corporate
workplaces. The software may contain a backdoor, malware
or trojang No documentation how encryption works
g Is it really end to end or are there possibilities to decrypt theconversations or data transfers?
g Is it really good cryptography or only security by obscurity? Areview has been conducted by Berson who was paid by Skype
g Corporations can not configure or harden Skype client anddefine what features are allowed
g Skype can be installed with minimal user privileges
g Unverified Identities
g Every Skype client trusts other Skype clientsg Any user can register with any name
1
2
3
4
5
6
GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 61
[email protected] www.csnc.ch
Demo Skype Trojan"Proof of Concept"
1
2
3
4
5
6
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 13/18
© Compass Page 25
Demo Skype Trojan
Hacker VictimPerimeterSecurity
Hacker sends Trojan program byemail, CD-ROM, web download orSkype file transfer to victim andmotivates him to start it
Hacker sends command in CHAT message
Victim startsTrojan
Trojan registersto Skype client
Trojan executescommandResult is sent to Hacker in CHAT
message
1
2
3
4
5
6
Concept and implementation by Jan P. Monsch, Compass Security AG
© Compass Page 26
Demo Skype Trojan
g Demo Skype Trojan"Proof of Concept"
A
P
ITrojan Program
1
2
3
4
5
6
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 14/18
GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Blocking Skype
1
2
3
4
5
6
© Compass Page 28
Blocking Skype
g Blocking Skype
g Block direct traffic through firewall
g Block CONNECT on web proxy for numeric IP addresses
g
Use P2P blockers like PRX from Ipoque
g Cisco Network-Based Application Recognition (NBAR)(Cisco IOS version >= 12.4 (4) T )
g Use software restriction policies on corporate workstations.Use white listing and not black listing.
1
2
3
4
5
6
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 15/18
© Compass Page 29
Blocking Skype
g Inspect IP header of incoming SSL key-exchange packets withpacket filter
g 0x160301 means: client-key-exchange SSL version 3.1
g 0x170301 is not a standard response packet
g Block all incoming packets with a header of 0x170301
Login Server(Central Server)
Skype Client
0x16030100
0x17030100
1
2
3
4
5
6
GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 61
[email protected] www.csnc.ch
Conclusion
1
2
3
4
5
6
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 16/18
© Compass Page 31
Conclusion
g Conclusion
g Skype is a cool application, very useful and easy to use.We like it.
g We do not recommend to use Skype incorporate environments.
1
2
3
4
5
6
GLÄRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 61
[email protected] www.csnc.ch
Discussion
1
2
3
4
5
6
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 17/18
© Compass Page 33
References
g References
g Skype: www.skype.com
g FON community: http://www.fon.com/
g Silver Needle in the Skype (Bondi, Desclaux)http://www.secdev.org/conf/skype_BHEU06.pdf
g Analyses of the Skype Peer-to-Peer … (Baset, Schulzrinne)http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
g An analysis of Skype VoIP application for use in a corporateenvironment (Bergström)http://www.geocities.com/bergstromdennis/Skype_Analysis_1_3.pdf
g Skype Security Evaluation (Berson)
http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf
© Compass Page 34
References
g References
g IPOQUE Webpage (Ban P2P Traffic)http://www.ipoque.com/
g Full Disclosure: Blocking Skypehttp://lists.grok.org.uk/pipermail/full-disclosure/2005-
November/038646.htmlg Cisco: How to block Skype
http://ciscotips.wordpress.com/2006/06/07/how-to-block-skype/
g Block Skype with Packet-Filterhttp://www1.cs.columbia.edu/~salman/skype/
8/3/2019 2006 Skype Trojaner v1.1
http://slidepdf.com/reader/full/2006-skype-trojaner-v11 18/18
© Compass Page 35
Abbreviations
g NAT: Network Address TranslationPAT: Port Address Translation
g P2P: Peer-to-Peer
g API: Application Programming Interface
g AES: Advanced Encryption Standard
g WiFi/WLAN: Wireless Network
g FON: Wireless sharing community
g SSL: Secure Sockets Layer