Forgot your password?
typodupeerror
Privacy Communications Security

Skype Trojan Can Log VoIP Conversations 151

Posted by timothy
from the sans-malice-would-be-a-useful-thing dept.
Slatterz writes "Security giant Symantec claims to have found the public release of source code for a Trojan that targets Skype users. Trojan.Peskyspy is spyware which records a voice call and stores it as an MP3 file for later transmission. An infected machine will use the software that handles audio processing within a computer and save the call data as an MP3. The file is then sent over the internet to a predefined server where the attacker can listen to the recorded conversations."
This discussion has been archived. No new comments can be posted.

Skype Trojan Can Log VoIP Conversations

Comments Filter:
  • Platforms... (Score:3, Interesting)

    by Slur (61510) on Sunday August 30, 2009 @07:27PM (#29255477) Homepage Journal

    Does this affect the Mac OS X version, or does at least one of the callers have to be on a PC?

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Does this affect the Mac OS X version, or does at least one of the callers have to be on a PC?

      Doesn't Mac OS X runs on PCs?

      • by dandart (1274360)
        Yeah. Macs ARE PCs. Call it by its OS not its platform, fools! I've got a PC but things advertised as "for PC" sometimes don't work!
        • Yeah. Macs ARE PCs.

          They can't be a PC, they have that pretty picture of an apple on them... PCs don't have that...

          • by dandart (1274360)
            What if you stick one on? And PCs to most people are x86 compatibles. But PCs are really personal computers, which is most of them. So... who's right?
            • Re:Platforms... (Score:4, Insightful)

              by mckinleyn (1288586) on Sunday August 30, 2009 @08:32PM (#29255897)
              PCs to most people are the scary blinky box in the corner. PCs to some are any x86 machine (Macs included). The original acronym means Personal Computers, as you stated. By that definition, my cell phone is a PC. While some may argue the point, it seems most likely that when the average /.er says PC, they mean x86, running Windows.
              • by dandart (1274360)
                That may apply in silly software selling but most people understand if I say "I have a PC". Yes, it's a big box with an unspecified system on it. It's silly nowadays to assume a system at all. There are so many of the damn things. See "Having the right terminology" for details.
              • Re: (Score:2, Interesting)

                by m50d (797211)
                While some may argue the point, it seems most likely that when the average /.er says PC, they mean x86, running Windows.

                Given how many linux users (or people liking to pretend they're linux users) there are here, I'd say you're wrong.

              • by houghi (78078)

                To me to make a difference I say Windows Machine and Linux Box.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      I'm sure that Mac OS X programs can record audio too. Guys, you're running Skype, a program which is closed source, uses anti-reverse-engineering techniques and pretty much behaves like typical malware in many ways. If privacy is a big concern to you, you're doing it wrong.

    • source (Score:5, Informative)

      by Zen Hash (1619759) on Sunday August 30, 2009 @08:12PM (#29255781)

      Does this affect the Mac OS X version, or does at least one of the callers have to be on a PC?

      It's written for Windows, like usual, and at least one of the callers would have to be infected.

      Source: http://www.megapanzer.com/2009/08/25/skype-trojan-sourcecode-available-for-download/ [megapanzer.com]

      • by chrb (1083577)

        Technically there is no reason why this has to be Windows only. All it would require is to modify the Skype binary to call an mp3 encode function for each audio block it sends or receives. If you can get the user to run your Skype binary, either by replacing the original, or by changing $PATH, then it will work. Skype is supposed to have some anti-reverse engineering code, but it has been cracked before.

        • Or just record everything coming out of the sound card & microphone, and keep an eye on what text is coming up in the Skype window to see who is calling and when to bother to record. Is there any reason that wouldn't work?

      • by mac1235 (962716)
        Porting is so hard. If only we had the source code...
    • Bastards! (Score:5, Funny)

      by Runaway1956 (1322357) on Sunday August 30, 2009 @09:43PM (#29256291) Homepage Journal

      As usual, I see no Linux support at all. I've almost made up my mind to format and install Windows again. Damn those rat bastard virus writers! Always forgetting us lusers!

      • As usual, I see no Linux support at all. I've almost made up my mind to format and install Windows again. Damn those rat bastard virus writers! Always forgetting us losers!

        There. Fixed it for ya.

    • by itsme1234 (199680)

      Does this affect the Mac OS X version, or does at least one of the callers have to be on a PC?

      Like mostly everything else it probably DOESN'T run on OS X. And in case you missed the last 4 years or so we don't really have the distinction PC/Mac anymore (not to mention that Mac OS X runs on many "PCs" from netbooks to Macs - and so does Windows in all incarnations worth mentioning).

  • Use OGG and you'll be safe too.

  • Conspiracy (Score:3, Funny)

    by No Lucifer (1620685) on Sunday August 30, 2009 @07:32PM (#29255515)
    Somehow, Oprah's got to be behind this...
  • And Skype all this time was claiming wiretaps were an undue burden that they didn't have to comply with!

  • Sounds familiar... (Score:5, Informative)

    by piemonkey (1628149) on Sunday August 30, 2009 @07:56PM (#29255667)
    I wonder if they're talking about this trojan http://it.slashdot.org/story/09/08/26/144249/Coder-of-Swiss-Wiretapping-Trojan-Speaks-Out [slashdot.org]
  • by bistromath007 (1253428) on Sunday August 30, 2009 @08:01PM (#29255689)
    Wouldn't this quickly take enough disk space to be easily noticeable?
    • Re: (Score:1, Informative)

      by Anonymous Coward

      Two channels of voice communication can be compressed to about 1kByte/s, less if you omit "silence". No, that is not easily noticeable. You could write uncompressed 8kHz 8bit audio (64kbps*2, 16kByte/s, ISDN quality) and most people wouldn't notice. Most computers are so busy with background processes that regular hard disk activity is expected.

    • by Darkk (1296127) on Sunday August 30, 2009 @08:22PM (#29255835)

      Nope. You'd hardly notice it sitting on your 1.5TB hard drive since low bitrate of voice MP3s are usually pretty small. Betcha the trojan would store the files in the ole temp folder of IE along with other junk files.

      Pretty slick idea of a trojan but boring to listen to millions conversations that have little value. Only thing I can think of the trojan author would use some kind of speech recognition software to look for phrases like "passwords" or "credit card info"

      Sadly that I rarely download software anymore due to concerns of backdoors or trojans as it's a money game now.

      • by brusk (135896) on Sunday August 30, 2009 @09:19PM (#29256163)
        If you could track the numbers called (on skypeout), you might be able to identify calls to banks, credit card companies, etc., and listen only to those.
      • Re: (Score:2, Informative)

        by armie (32968)

        There are a lot of automated banking by phone facilities that rely on the user entering their account numbers and passwords via the keypad. An attacker won't even need sophisticated speech recognition software - all they need is software looking for DTMF tones.

      • by Barny (103770)

        Just have it look for important phone numbers, IRS, major banks, etc.

        How much important info would you be likely to gleam from skype-skype calls as opposed to skype-landline?

      • I used to work for a callcenter, and absolutely everything was recorded.

        The recordings started as uncompressed WAV files. With a callcenter of ~100 seats, they took up about 6 GB/day. After we moved to daily MP3 encoding, at bit rates much higher than would have probably been required for the legal CYA the recordings were made for, three to four days worth of recordings fit on a single DVD-R.

        We used LAME with that -V2 switch I think.
    • Wouldn't this quickly take enough disk space to be easily noticeable?

      If the phone user is talking 24/7 and has a small hard drive - sure. The loss of 4 gig (the equivalent of 4 *days* of MP3's, or so sayeth my iPod about my music collection) would go unnoticed by all but the most paranoid of users or someone whose hard drive was almost full.

      • by jamstar7 (694492)
        Voice communications doesn't need 320kbs sampling. You can get away prolly with 64kbs or even 32kbs. Normal analog voice bandwidth is about 6KHz. At 32kbs, you can squeeze a 5 min conversation into about a meg of disk space.
        • Well, there's something hideously wrong with your calculations... The longest MP3 in my collection (approx 12mins) takes up 11k.

    • How many people -really- search their HD? A few extra MBs won't be noticeable to most people, especially if they keep it in obscure directories.
      • by Shakrai (717556)

        How many people -really- search their HD? A few extra MBs won't be noticeable to most people, especially if they keep it in obscure directories.

        It doesn't even matter if you search your HD, unless you are using a live CD to do it. Anyone sophisticated enough to write a trojan to record your VoIP conversations is sophisticated enough to include rootkit concepts that hook into the OS and hide the evidence of the trojan.

        I don't know if that's the case with this particular trojan but it's how I would go about doing it if I was writing it.

        • by Khyber (864651)

          Anyone sophisticated enough to include a rootkit better be sophisticated enough to wipe out the possibility of a byte-for-byte diff scan to detect the virus or MP3 files.

  • by digitalme2 (965595) on Sunday August 30, 2009 @08:03PM (#29255701)
    Seems more like something that would be used by investigators, employers, jealous partners, and their like. As TFA says, "The downside for the malware creators is that they would need a lot of time on their hands to go through hours of Skype audio files to find anything of monetary interest." The idea is so obvious that this is likely why we haven't seen this before.
    • by girlintraining (1395911) on Sunday August 30, 2009 @08:41PM (#29255945)

      "The downside for the malware creators is that they would need a lot of time on their hands to go through hours of Skype audio files to find anything of monetary interest."

      You seem to be laboring under the idea that using speech recognition software would not occur to these people, or that the cost of transcription would be higher than the benefit received. First, it's already in widespread use in certain industries. Second, some targets are going to yield much better information than others -- you're correct that if you target a 100,000 random skype phone conversations you won't get much. But what if you only targeted people using it between the hours of 9am and 5pm and had job titles and functions associated with financial data?

      Suddenly, you've got yourself a viable criminal enterprise.

      • by Barny (103770)

        Throw in blacklisting the skype-to-skype calls, then whitelist all the calls to known bank numbers, IRS etc.

        Grind the whitelisted stuff first, then if you have extra cycles work on all the stuff in the middle :)

        Oh, and don't restrict 9-5pm if there are DTMF codes, someone may be doing phone banking ;)

      • "You seem to be laboring under the idea that using speech recognition software would not occur to these people"

        You seem to be laboring under the idea that speech recognition software really works.

    • Targeted malware is a real threat, and even if the attacker hasn't narrowed it down to a particular person of interest, it would still be possible to narrow down the relevant audio based on accompanying text messages and file transfers. The audio just before and after "Keep this confidential" in the text chat and "Tender Offer Pricing.xls" would draw an inside trader's attention, for example.

  • by AgentOJ (320270) on Sunday August 30, 2009 @08:10PM (#29255765)

    It appears that a guy named Ruben Unteregger published the source code on his site at http://www.megapanzer.com/source-code/#skypetrojan [megapanzer.com]

    According to his site, he removed a plugin system from the source as well as code to bypass firewalls, but he'll add it back in at a later date.

    From looking at the source, this is heavily geared toward Windows, so the current iteration of the source doesn't affect OS X at this time.

  • by jonwil (467024) on Sunday August 30, 2009 @08:12PM (#29255779)

    Given all the DRM Microsoft is adding to Windows at the behest of the MPAA and RIAA, I am surprised that an app can even GET access to the raw audio anymore.

    • Sorry, and I know I'll look like an idiot in ten years when it happens, but how could an OS deny access to camera, speakers, and microphone to all applications without a major (noticeable, uproar-inducing) functionality decrease?

      Furthermore, I doubt it's stealing audio at the hardware level, it seems talking the audio from Skype as it is sent / received would be a better plan.
      • by icebike (68054) on Sunday August 30, 2009 @08:51PM (#29256005)

        Audio (and everything else) sent by skype is encrypted.

        That is why you need to install a Trojan ON the target machine. This Trojan grabs it AFTER it has been decrypted by skype.

        Because it is running local it should be detectable.

        Because they chose the trojan route, you can be reasonably assured that breaking the encryption is harder and more troublesome than sneaking into your house and installing a trojan or tricking you into installing it for them.

        • Audio (and everything else) sent by skype is encrypted.

          [...]

          Because they chose the trojan route, you can be reasonably assured that breaking the encryption is harder and more troublesome than sneaking into your house and installing a trojan or tricking you into installing it for them.

          For some of them. Unless users have a way to exchange their public keys in a reliable PKI through a secure channel (and not involving the provider at least as far as the private ones are concerned, which moreover have to be immune even to physical access to local storage), they can't be sure that nobody else will ever compromise their conversations.

          • by icebike (68054)

            For some of them. Unless users have a way to exchange their public keys in a reliable PKI through a secure channel

            Well Skype is similar to SSL in that department.
            And we all know how secure that is.

            Oh, wait....

  • So what? (Score:2, Funny)

    by Anonymous Coward

    This is no worse than the US Department of Homeland Security does on an ordinary weekday. So, why should I be concerned? I don't have anything to worry about, since I don't have anything I need to hide! We should trust the hackers to use their authority responsibly.

    • "Anonymous Coward"?
    • by jamstar7 (694492)

      This is no worse than the US Department of Homeland Security does on an ordinary weekday. So, why should I be concerned? I don't have anything to worry about, since I don't have anything I need to hide! We should trust the hackers to use their authority responsibly.

      How about if you brag to your buddy on the fone how much you ripped the government off with that nifty tax dodge you found out about?

      Howbout if you bitch about how much of your taxes go to support something the Powers That Be are totally for, an

  • Symantec should read (Score:5, Informative)

    by zcold (916632) on Sunday August 30, 2009 @09:22PM (#29256175) Homepage
    Slashdot... Didnt the person who created this release this open source before the weekend?? Symantec is a little slow on the ball... http://it.slashdot.org/story/09/08/26/144249/Coder-of-Swiss-Wiretapping-Trojan-Speaks-Out [slashdot.org]
    • by zcold (916632)
      looks like im a little slow on the ball too, looks at above posts... (after the fact)
    • by Valdrax (32670)

      Considering that this has thus been posted twice, maybe Slashdot should read Slashdot.

      • by shaitand (626655)

        It would be much more clever to post a dupe story with links that point to the first slashdot story.

  • dupe dupe dupe, dupe of earl, dupe dupe, dupe of earl...

  • by marciot (598356) on Monday August 31, 2009 @12:49AM (#29257287)

    I'm gonna call myself and play all my CDs through Skype. That way the RIAA will unleash their pack of lawyers on the scammer who illegally downloads all those songs as MP3s off my computer.

  • I notice that "tapping" Skype is always a matter of compromising one of the end points. I presume it's harder to tap Skype in transit as traffic can take any old route via the Internet - or that's the impression we should get.

  • Now, this WOULD be news or at least newsworthy if there was a program that allows a MITM attack to encrypted Skype communication. But let's be honest, what do we have here?

    1) A program, installed on the affected computer
    2) Which messes with what's being done by a certain other program
    3) Which creates a log of the data being sent to and from this program (after decryption of said data)
    4) Wich sends that data to a predetermined server

    That's not news. That's been done for at the very least 5 years now. The dif

  • Once a friend in the IT security mentioned that he'll install Skype only on a carefully firewalled virtual machine, with nothing else on it. Now there is one more reason to believe him. 'Skype' and 'securoty' just don't go well together.
  • But Skype users are NOT the intended customer. Seriously, this being no big suprise along with it's closed source and Z-fone incompatibility, makes Skype a real loser. The only thing that makes them attractive is they have marketshare. People love being able to search other people they already know (as facebook) and connect with them, regardless of the applications insecure nature.
  • I find the hype on this very misleading. Once I install an operating system modification that exists in the address space of an application, I can fairly well do whatever I want. This one happens to target Skype. Similar ones could just as easily have targeted browser login's and passwords, or ssh.
  • Worst Job Ever: Being the poor guy that has to listen to all these random conversations in the hopes that something not retarded will be said...

  • So we discuss "Coder of Swiss Wiretapping Trojan Speaks Out" on Aug 26; http://it.slashdot.org/article.pl?sid=09/08/26/144249 [slashdot.org], in which TFS says: "Last night, he published the source code of his Skype-Trojan under the GPL." (http://www.megapanzer.com/2009/08/25/skype-trojan-sourcecode-available-for-download/), and now the Einsteins at Symantec "claims to have found the public release of source code". Fucking brilliant.

A sheet of paper is an ink-lined plane. -- Willard Espy, "An Almanac of Words at Play"

Working...