Flattr this!

Skype represents one of the most popular VoIP-programs installed on millions of computers around the world, whose owners do not even know what danger they face. And the danger they face a very serious: the leakage of confidential information to the penetration of worms and hit the traffic, not to mention such trifles as the reluctance Skype work with the active SoftICE. I keep it safely razgryz and now are products of his life on public display:).

SkypeCreated by the founders/fathers of the notorious Kazaa and inherited from his ancestor the worst of its features, works on the principle of self-organizing peer distributed network (distributed self-organized peer-to-peer network, P2P). Skype – A black box with a multi-level encryption system, stuffed with anti-debugging tricks of the executable file, reading from a computer confidential information and transmit it to the network of the closed protocol. The latter bypasses firewalls and hard mask their traffic, preventing it from freezing. All this makes Skype in an ideal carrier of viruses, worms and drones, creating their own distribution networks within the SkypeNetwork. In addition, Skype rather cavalierly refers to the resources of your site, using it to maintain communication between other nodes SkypeNetwork, straining the CPU and generating a powerful flow of traffic. And the traffic is known, is rarely free (especially Russia), so that the apparent free calls is rather conventional: for sites with “thin” channels, paying the “thick” owners.

Skype has been studied extensively in laboratories and hacker security-organizations around the world, and most researchers unanimously agree that Skype – A diabolically clever program written by undeniably talented people in style Black Magic Art. Skype do not hesitate to dirty tricks, create huge problems that I’m going to tell.

Analysis of the executable Skype

Executable file SkypeClient is a true masterpiece of the art of hacking, which has absorbed a lot of interest and quite powerful defense mechanisms. To counter them requires not only powerful tools (debugger, disassembler, dumper, etc) and knowledge / skills, but also a lot of free time.

Binary file is completely encrypted and decrypted as dynamically loaded into memory.  Dumping the dump is not possible, more accurately, hindered by the fact that the start code after clearing, which we have exe, which does not run. The original import table does not contain anything interesting, API-functions are connected already in the process of unpacking. Check the integrity of code is executed from different places in a random order (mainly for incoming calls), so the search for protective procedures is a highly nontrivial task. Especially since they are based on cryptographic signatures and RSA-equipped polymorphic generators that randomly permute instruction ADD, XOR, SUB, and others, mixing them with leftist machine instructions.

Static function call (the hardcoded address) practically does not occur, and all relevant procedures are called by dynamically calculating the pointer passed through obfuscators. Consequently, the disassembler will not help us here, and we must take up the debugger.

But about a debugger should be discussed separately. Skype recognizes SoftICE even if you have installed IceExt, Flatly refusing to run. It’s funny, because to break itself Skype debugger SoftICE is not very much, because there are other tools of this kind, among which in the first place is The Rasta Ring 0 Debugger or abbreviated [RR0D] cannot be detected by SkypeClient and, as its name implies, operates at the kernel level. In principle, we can use the debugger and the application layer (for example,  rapidly gaining popularity is OllyDbg). Only if this is important to remember that Skype easily detects software breakpoints, which are single-byte machine instruction with the opcode CCh, overwrite the debugging code. A step by step to prevent trace Skype performs run-time measurements of certain sections of code, to pass through that account to use the full PC emulator with integrated debugger, for example, the famous BOCHS.

Finally, when the executable file is unpacked and all checks passed, the protection of checksums and converts it into a pointer on which control is transferred, awakens Skype.

Sequence unpacking executable File

Anti-debugging techniques with which reveals downloaded Skype SoftICE

The problem is that Skype are watching their integrity, why attempt to fix jnz to jmp short runs only until the first incoming call, after which Skype falls and back is not raised. Especially for such ingenious protection even in times of MS-DOS was developed by an online patch technique in which the patch program is carried out directly in memory, and after passing a check for SoftICE rollback is performed so as not to disturb the process of verifying the integrity.

Fluent trace Skype using OllyDbg to quickly identify the security code that checks for the presence of SoftICE

Architecture of a distributed network

At the atomic level structure SkypeNetwork consists of conventional units (normal / ordinal node / host / nest), abbreviated SC (Skype Client), And super-nodes (super node / host / nest), which corresponds to the abbreviation SN. Any site that has a public IP-address (the one that is routed to the Internet) and has a wide enough channel automatically becomes the super-node and drives through a conventional traffic sites, helping them to overcome the protection type of firewalls or network address translator (NAT) and evenly distributing the load among the hosts. This is the essence of self-organizing distributed decentralized peer to peer network, the only central element is Skype-loginServer is responsible for the authorization procedure SkypeClients and ensuring the uniqueness of call for the entire distributed network.

It is important to emphasize that communication between nodes is carried out not directly but through a chain of super-nodes. Servers in the conventional sense (such as a network eDonkey) in SkypeNetworks do not. Any node with a set SkypeClient is a potential server that it automatically becomes when there is sufficient system resources (RAM, CPU speed and bandwidth of network channel).

Each node SkypeNetwork maintains a list of IP-addresses and ports known to the super-nodes in a dynamically updatable cache tables (Host Cache Tables, HC-tables). Starting with version Skype 1.0, the cache table is a simple XML-file in an unencrypted form recorded on the disc in the user’s home directory.

The structure of decentralized self-organizing peer Skype-network

SkypeClients for a fee can receive incoming calls from regular phones to make such calls. However, in PC2PC-sharing, these servers can not participate, so we do not dwell on them.

As Skype bypasses firewalls

Exchange protocol between SkypeClients completely undocumented, and therefore all information about him obtained by methods of reengineering: disassembly SkypeClients, the analysis of intercepted network traffic, etc. Because there are so many significantly different between the versions are SkypeClients, the protocol description may contain inaccuracies, in any case, open-source-client still has not received any.

Immediately after its launch SkypeClient opens a TCP-and UDP-ports. Their numbers are randomly set during installation and can be modified at any time via the configuration dialog, which makes blocking SkypeTraffic at the firewall. In addition, Skype opens ports 80 (HTTP) and 443, but they are not vital, and even if they are blocked, Skype no upset.

The structure of the IP-packet with Skype work over UDP

The situation is complicated by the fact that Skype encrypts the traffic, especially using the advanced technology of obfuscation, impeding the allocation of permanent signature in the header fields. Encryption algorithms change from version to version, also released a set of special versions for different countries, whose laws impose certain restrictions on the length of the key or selected cryptographic algorithms. But on the whole encryption mechanism looks as shown.

Encryption mechanism used by Skype

SkypeClients are extremely sensitive dispense with firewalls and network address translator, seeping through them through a well-known protocols STUN and TURN. Protocol STUN already entered into the Bible of Internet and described in detail in RFC-3489. As for TURN‘And then he is still in development and is currently available only draft version of the standard: www.jdrosen.net / midcom_turn.html.

So, from a legal point of view, the actions Skype are lawful and do not fall under the article. STUN, Which stands for Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) (Simple penetration Datagram Protocol UDP through network address translator (NAT)), is an excellent tool that suffers, however, a number of limitations and is not available in the following cases:

  1. if the path to the external network firewall blocked spiteful, cutting the entire     UDP;
  2. if on the way to the external network is symmetric NAT.

Well, the firewall is clear. If UDP is closed, then it does not uncover. But symmetric NAT (symmetric NAT) – Is that a thing? Without going into technical details, let’s say that a symmetric NAT is a form of ordinary translator, requires that the destination IP-address and port of the broadcast package coincided with the outer (external) IP-address and port. If the same host sends packets with the same source IP-addresses and ports in different directions, NAT will have to translate them to other ports. Thus, to send internal node UDP-packet, the external host must first of all get a request from an internal node. Independently to initiate a connection from the external node is not able, because NAT does not know on what the internal IP and port should be broadcast unexpectedly dumped UDP-packet.

This problem is solved by the protocol TURN (Traversal Using Relay NAT), The technical details of which are described at the above address and totally uninteresting to most readers. Much more importantly – the protocol TURN significantly increases the latency and loses large amounts of UDP-packets (packet loss), that is not the best way affects the quality and stability of the connection, but the complete lack of communication – even worse. So that users Skype should rejoice, not complain!

Skype-network structure in which there Skype-client behind NAT and Firewalls

Here are the administrators of this joy for some reason do not share, tightly closing the UDP-traffic (especially since most normal programs do not need it). Grumbled a little for decency (bricked up, bitch!) Skype automatically switches to a pure TCP, which cut off the administrator will not be allowed. True, conjured over the firewall, he can close all unused ports, but that’s the trick that unused ports in nature is not found! When connecting to a remote host operating system assigns each client a free TCP / UDP-port, which will be sent packets. That is, if we are connecting to the web-server 80 to port, our local port may be 1,369-meter, 6,927-meters or more in some other. Closing all ports, we lose opportunities to establish TCP / UDP-connection!

The only way out – to chop off all network users with direct access to the Internet, forcing them to go through a proxy-server. However, even such draconian measures will not solve the problem because Skype just read the configuration of your browser and take advantage of proxy-server as their mother!

SkypeOperating through a proxy-server configuration that read from the browser settings

How to block SkypeTraffic

Developers Skype Administrators are cautioned against attempts to identify and block the traffic (type: “Anyway, you get nothing!”). And, indeed, to recognize SkypeTraffic is very difficult, and it can only lock on content that is encrypted and does not contain any predictable sequences. Fortunately for administrators, creators Skype, For all his genius, made some missteps, leaving the traffic unencrypted. UDP-connection uses an open protocol for a public IP-addresses of super-nodes, which may well be found a packet sniffer. It is time. TCP-connection uses the same RC4-stream twice, which allows us to recover the first 10 bytes of key deciphering portion of the permanent header field SkypeProtocol. It’s two! By the way, a very useful thing for spying on other people’s conversations! But I was not aware of any ready-blocker SkypeTraffic, and write their own – a lazy, and no time.

Reuse RC4-flow allows you to recover 10 bytes of the key 12, decoding of SkypeTraffic

Identify and block UDP-traffic much easier. Each frame begins with a two-byte identification number (ID) and the type of packet (payload). In the UDP-package embedded 39-byte NACK-packet passed through obfuscators and containing the following information:

  • Package ID (inconstant and varies from package to package);
  • number of functions (func), skipped through obfuscators, but func & 8Fh always equal to 7h;
  • IP sender;
  • IP receiver.

Thus, to block UDP-traffic generated by SkypeEnough to add a firewall rule:

iptables-I FORWARD-p udp-m length – length 39-m u32
– U32 ’27 & 0 x8f = 7 ‘- u32 ’31 = 0 x527c4833’-j DROP

The structure of the NACK-packet

Unfortunately, blocking UDP-traffic does not solve anything, because Skype automatically switches to TCP, but there is one small hitch. Headers of incoming IP-packets related to the exchange protocol SSL-Keys (SSL key-exchange packets) Contain unusual for “normal” application identifier 170301h, returned in response to a request with the identifier 160301h (default SSL version 3.1). Thus, blocking all incoming packets containing a header 170301h, seriously puzzle SkypeAnd the current version will lose efficiency. That’s just how long …

Recognition SkypeTraffic at unusual identifier during the call to the Login Server for SSL-exchange key

For detecting and blocking SkypeTraffic can use other hardware and software, for example, PRX from Ipoque or Cisco Network-Based Application Recognition (NBAR). However, they are not effective enough, because developers Skype do not sit idly by, and if someone can find a reliable way to lock him unclean traffic in future versions of the bastard reappears.

Army drones, or zombie Skype

Low cost of voice calls has caused a rapid rise in popularity SkypeWhose network on April 27, 2006, according to official figures, amounted to over 100 million registered users. And today, committing at least one SkypeCall-in day, over 700,000 people! It is easy to predict that in a short time Skype enters the lion’s share of Internet sites that have both positive and negative side.

Hackers have long been surmised to use Skype to spread viruses and organizations distributed attacks that are very difficult to prevent – SkypeTraffic is securely encrypted and can not be analyzed by anti-virus, blocked by firewalls or detected intrusion detection systems.

Naturally, to capture SkypeSite, the attacker must find a way to transmit malicious code on it, that with all the security measures he would not be able to do so. But, like any other software Skype prone to errors, including errors and overflows, one of which was discovered Sept. 25, 2005. Now it has long been fixed and is only of historical interest, but it still stands to become better acquainted (and it can be done to Skype.com/security/Skype-sb-2005-03.html or seclists.org/fulldisclosure/2005/Oct/0533.html).

Ability to transfer control to the shell-code allows an attacker to acquire any Skype-nodeAs well as all known him super-nodes, etc. Over a distributed network of looming global threat, and a miracle that it has not ended in disaster. However, as practice shows, where there is a mistake, sooner or later appear, and others. Closed-source software and lots of anti-debugging tricks (complicating testing program) that only contribute!

Another dangerous “goodies” Skype is to open its API. Go to meet other developers, the creators of Skype made it possible to integrate any application with Skype-client. True, displays a stern warning that such a program wants to use Skype API: allow or send it to the FIG? Naturally, most users on these questions are answered in the affirmative. Already accustomed to the annoying warnings, they instinctively pressed «Yes», ??and only then start to think, and what they actually allowed?

It is clear that in order to use Skype API, Malicious programs need to somehow deliver on the computer. Previously used for this email successfully filtered antivirus software, but many users run the executable file is still in the millions. Now, in order to send viruses can be used very Skype. Local antivirus – the only means of defense, has the potential to repel the attack. But if it is installed, identify the unknown science of the virus, he can not even in the presence of anti-virus first freshness (heuristics while still working more on advertising than on the final result).

It is important that the protocol Skype already partially decrypted and created hacking tools to interact with SkypeSites in non-standard SkypeClients, and even without registration server! And although the case is currently limited to just a collection of addresses of super-nodes, there is a theoretical possibility of creating their own networks based on distributed SkypeNetwork, the main mistake of developers which consists in the fact that SkypeSites unconditionally trust each other and the whole “security” is based only on the closeness of the protocol.

Geographical distribution of super-nodes Skype on the planet


Concluding the article, I would like to ask: what is still hidden creators Skype in the depths of your code? Why, extending the program for free, they clamped the source code and use the closed protocol, thereby causing distrust of security? Why free software is so fancy protection, reduces performance and consumes large amounts of memory, for breaking its no one is going? Why do SkypeClient is implemented as a black box?

Rhetorical question. But feels my tail, not without reason it all!