Posted by Skype - The Phan on July Mon 16th 11:27 AM - Never Expires
Download | New paste

  1. Hacker № 04/07 (100)
  2.  
  3. Content
  4. Room
  5. Skype - The Phantom Menace
  6.  
  7. Chris Kasperski
  8.  
  9. Hacker, Room # 100, page 064
  10. Chris abused Skype
  11.  
  12. Skype is one of the most popular VoIP-software installed on millions of computers around the world whose owners do not even know what danger they face. And the danger they face a very serious from leaks of confidential information to the penetration of worms and getting the traffic, not to mention such trifles as the reluctance to work with the active Skype SoftICE. I'm a happily gnawing, and now are products of their life for all to see :).
  13.  
  14. Skype, created by the founding fathers of the notorious Kazaa and inherited from his ancestress the worst of its features, works on the principle of self-organizing distributed peer to peer network (distributed self-organized peer-to-peer network, P2P). Skype - it's a black box with a multi-level anti-debugging techniques dosed with encryption of the executable file, the computer reads the confidential information and transmits it to the network for private protocol. The latter bypasses firewalls and severely masking the traffic, preventing it from locking. All of this makes Skype in an ideal carrier of viruses, worms and drones that create their own distributed network within the Skype-network. In addition, rather unceremoniously Skype calls with the resources of your site, using it for communication between other Skype-node network, straining the CPU and generate a powerful stream of traffic. And the traffic is known, is rarely free (especially Russia), so that the apparent free calls is rather conventional: for sites with "thin" pay channels "thick" owners.
  15.  
  16. Skype is actively studied in the laboratory and hacker security-organizations around the world, and most scholars unanimously agree that Skype is a devilishly clever program written undeniably talented people in the style of Black Magic Art. Skype is not squeamish about dirty tricks, creating huge problems that I'm going to tell you.
  17. Analysis of the executable file
  18.  
  19. The executable file is Skype-client is a true masterpiece of hacker Arts, which absorbed a lot of interesting and quite powerful defense mechanisms. To counter them requires not only powerful tools (debuggers, disassemblers, dampers, etc.) and knowledge / skills, but also a lot of free time.
  20.  
  21. The binary file is completely encrypted and decrypted as dynamically loaded into memory. Moreover, the dump can not be reset, or rather difficult by the fact that after the start code is cleared as a result we obtain the exe, which does not run. The original import table does not contain anything interesting, and the API-function plug is in the process of unpacking. Check the integrity of the code is executed from different locations in a random order (mostly for incoming calls), so the search for protective procedures is a highly nontrivial task. Especially since they are based on cryptographic RSA-signatures and have polymorphic generators that randomly rearrange the instructions ADD, XOR, SUB, etc., mixing them with the leftist machine instructions.
  22.  
  23. A static function call (for a hard-coded address) practically does not occur, and all the important procedures are invoked to dynamically computed pointer missed by obfuscators. Consequently, the disassembler us here will not help, and you have to take up the debugger.
  24.  
  25. But about the debugger should be treated separately. Skype recognizes the SoftICE even when installed IceExt, flatly refusing to start. It's funny, because most hack Skype SoftICE debugger is not really needed, and because there are other tools of this kind, among which especially would like to mention The Rasta Ring 0 Debugger, or abbreviated [RR0D], no detectable Skype-client and, as its name implies, works at the kernel level. In principle you can use the debugger and the application layer (for example, is rapidly gaining popularity OllyDbg). Only if this is important to remember that Skype software is easy to detect breakpoints, which are single-byte machine instruction with the opcode CCh, overwrite debugging code. A step by step to prevent a trace Skype performs run-time measurements of certain parts of the code for the passage through which we have to use full-fledged PC Emulator with an integrated debugger, such as the famous BOCHS.
  26.  
  27. Finally, when the executable file is unpacked and everything checks out, the protection of checksums and converts it to a pointer to which control is transferred, awakening Skype.
  28.  
  29. The problem is that Skype is watching his integrity, so the attempt to fix jnz to jmp short works only up to the first incoming call, after which Skype crashes and will not back up. Especially for such ingenious defenses in the days of MS-DOS was developed by an online patch technique, in which the correction of the program is carried out directly in memory, and after passing a test for the presence of SoftICE, a rollback is performed so as not to disturb the process of verifying the integrity.
  30. Architecture of a distributed network
  31.  
  32. At the atomic level structure of the Skype-network consists of the usual sites (normal / ordinal node / host / nest), denoted by the abbreviation SC (Skype Client), and super-nodes (super node / host / nest), which corresponds to the abbreviation SN. Any node that has a public IP-address (the one that is routed to the Internet and has a sufficiently wide channel shall automatically become a super-node and the traffic is driving through a common node, helping them to overcome the type of firewall protection and network address translators (NAT) and uniformly distributing the load between the hosts. This is the essence of self-organizing distributed decentralized peer to peer network, the only central element is a Skype-login server is responsible for authorization procedure Skype-client and ensures the uniqueness of call for the entire distributed network.
  33.  
  34. It is important to emphasize that the link between nodes is not directly but through a chain of super-nodes. Servers in the conventional sense of the word (such as the network eDonkey) network in the Skype-no. Any node with the specified Skype-client server is a potential that it automatically becomes if there are sufficient system resources (RAM, processor speed and bandwidth of network channels).
  35.  
  36. Each node in the network Skype-keeps a list of IP-addresses and ports known to him super-nodes in a dynamically updatable cache tables (Host Cache Tables, HC-tables). Starting with version Skype 1.0, the cache table is a simple XML-file in an unencrypted form recorded on the disk in the user's home directory.
  37.  
  38. Skype-clients for a fee can receive incoming calls from regular phones to make such calls. However, in PC2PC-sharing, these servers do not participate, so we will not dwell on them.
  39. How Skype bypasses firewalls
  40.  
  41. The protocol exchange between Skype-client completely undocumented, and therefore all the information about him obtained by methods reengineering: disassembling Skype-client, analyzing the intercepted network traffic, etc. Because there are so many differing significantly versions of Skype-client, the protocol description may contain inaccuracies, in any case, open source client one has posted.
  42.  
  43. Immediately after its launch Skype-client opens a TCP-and UDP-ports. Their numbers randomly set during installation and can be modified at any time through the configuration dialog, which makes Skype-blocking traffic at the firewall. In addition, Skype opens ports 80 (HTTP) and 443, but they are not vital, and even if they are blocked, Skype did not upset.
  44.  
  45. The situation is complicated by the fact that Skype encrypts traffic using advanced technology to actively obfuscate, preventing the allocation of permanent signature in the header fields. Encryption algorithms vary from version to version, moreover, produced a number of special versions for different countries, whose laws impose certain restrictions on the length of the key or selected cryptographic algorithms. But on the whole encryption mechanism is as shown in the figure.
  46.  
  47. Skype-cost customers are very delicately with firewalls and network address translators, seeping through them through the well-known protocols STUN and TURN. STUN Protocol has already entered into the Bible and the Internet is described in detail in RFC-3489 (www.rfc-archive.org/getrfc.php?rfc=3489). As TURN'a, it is still in development and is currently available only rough version of the standard: www.jdrosen.net / midcom_turn.html.
  48.  
  49. So, from a legal point of view, Skype actions are lawful and do not fall under the article. STUN, which stands for Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) (a simple penetration of the UDP datagrams through a network address translator (NAT)), is an excellent tool that suffers, however, some restrictions and does not work in the following cases:
  50.  
  51.     if the path to the external network firewall blocked an angry, cutting all the UDP;
  52.     If the path to the external network is a symmetric network address translator.
  53.  
  54. Well, the firewall is clear. If UDP is closed, then it does not open. And here is a symmetric network address translator (symmetric NAT) - what's this thing? Without going into technical details, let's say that a symmetric NAT is a variation of the ordinary compiler, which requires that the destination IP-address and port of the packet broadcast coincided with the outside (external) IP-address and port. If the same node sends packets with the same source IP-addresses and ports in different directions, NAT will have to translate them to other ports. Thus, the internal node to send a UDP-packet, the external host must first of all get a request from an internal node. Self-initiate a connection outside the node is not able to because NAT does not know on what the internal IP and port to be broadcast suddenly dumped the UDP-package.
  55.  
  56. This problem is solved by the protocol TURN (Traversal Using Relay NAT), the technical details of which are described at the above address, and completely uninteresting to most readers. It is much more important - TURN protocol significantly increases the latency and lose a large number of UDP-packets (packet loss), that is not the best way affects the quality and sustainability of communication, but the complete lack of communication - even worse. So Skype users should rejoice, not complain!
  57.  
  58. The only reason the administrators of this joy is not shared, tightly closing the UDP-traffic (especially since the majority of normal programs do not need it). A little grumbling for decency (bricked up, the demons!), Skype automatically switches to a pure TCP, which cut off the administrator will not be allowed. However, conjured over the firewall, that can close all unused ports, but that's just a trick that unused ports not found in nature! When you connect to the remote node, the operating system assigns the customer any free TCP / UDP-port to which packets will be sent. That is, if we connect to the web-server on port 80, our local port could be 1369-m-6927 m or more in some other. After closing all the ports, we will lose the possibility to install TCP / UDP-connections!
  59.  
  60. The only way out - chop off all LAN users direct access to the Internet, forcing them to walk through a proxy-server. However, even such draconian measures will not solve the problem because Skype just read the configuration of your browser and take advantage of proxy-server as their mother!
  61. How to block Skype-traffic
  62.  
  63. Skype developers have warned managers from trying to identify and block the traffic (such as: "All the same, you have nothing! '). Indeed, Skype-to recognize the traffic is very difficult, but it can only lock on the content, which is encrypted and does not contain any predictable sequences. Fortunately for managers, the creators of Skype, for all his genius, made some missteps, leaving the traffic unencrypted. UDP-connection uses an open protocol for obtaining public IP-addresses super-nodes, which could be detected traffic analyzer. It's time. TCP-connection uses the same RC4-stream twice, which allows us to recover the first 10 bytes of key, decrypting the header fields of the regular Skype-protocol. It's two! By the way, a very useful thing to spy on other people's conversations! However, I do not know of any ready-blocker Skype-traffic, and write their own - so lazy and no time.
  64.  
  65. Recognize and block UDP-traffic much easier. Each frame begins with a two-byte identification number (ID) and packet type (payload). In the UDP-package embedded 39-byte NACK-packet passed through the obfuscator and containing the following information:
  66.  
  67.     package ID (constant and varies from package to package);
  68.     number of functions (func), passed through the obfuscator, but func & 8Fh always equal to 7h;
  69.     IP sender;
  70.     IP receiver.
  71.  
  72. Thus, to block UDP-traffic generated by Skype, just add a firewall rule:
  73.  
  74. iptables-I FORWARD-p udp-m length - length 39-m u32
  75.  
  76. - U32 '27 & 0 x8f = 7 '- u32 '31 = 0 x527c4833'-j DROP
  77.  
  78. Unfortunately, blocking UDP-traffic does not solve anything, because Skype automatically switches to TCP, but there is one small hitch. The headers of incoming IP-packets related to the exchange protocol SSL-keys (SSL key-exchange packets), contain unusual for the "normal" application ID 170301h, returned in response to a request ID 160301h (default SSL version 3.1). Thus, blocking all incoming packets that contain header 170301h, a serious puzzle Skype, and the current versions lose functionality. That's just how long ...
  79.  
  80. In order to detect and block Skype-traffic can use other software and hardware, such as PRX on Ipoque or Cisco Network-Based Application Recognition (NBAR). However, they are not efficient enough, since Skype developers are not sitting idly by, and if someone can find a reliable way to lock him rotten traffic in future versions of sod appears again.
  81. Army drones, or as a zombie Skype
  82.  
  83. The cheap voice calls caused a rapid growth in popularity of Skype, which is on the network April 27, 2006, according to official statistics, amounted to more than 100 million registered users. And now make at least one call to the Skype-day, over 700,000 people! It is easy to predict that it will soon come to Skype lion's share of Internet sites that have both positive and negative side.
  84.  
  85. Hackers have long figured to use Skype to spread viruses and organization of distributed attacks, which are very difficult to prevent - Skype-traffic is securely encrypted and can not be analyzed by antivirus software, firewalls, blocked, or recognized by the intrusion detection systems.
  86.  
  87. Of course, Skype-to capture the node, the attacker must find a way to pass malicious code on it that if all the safety measures he would not be able to do. But, like any other software, Skype is prone to errors, including errors and overflows, one of which was discovered September 25, 2005. Now it has long been fixed and is only of historical interest, but it's still worth to get to know (and it can be done on the skype.com/security/skype-sb-2005-03.html or seclists.org/fulldisclosure/2005 / Oct/0533.html).
  88.  
  89. Ability to transfer control to the shell-code allows an attacker to acquire any Skype-site, as well as all known him to super-nodes, etc. Over a distributed network of looming global threat, and a miracle that it did not end in disaster. However, experience shows that where there is a mistake, sooner or later, there are others. The closed source, and many anti-debugging techniques (complicating testing program) that only contribute!
  90.  
  91. Another dangerous "goodies» Skype is opening up its API. Going towards the third-party developers, the creators of Skype made it possible to integrate any application with Skype-client. True, displays a stern warning that such and such a program wants to use Skype API: allow or send it to the FIG? Of course, most people respond to such questions in the affirmative. Already accustomed to the annoying warnings, they instinctively pressed «Yes», ​​and only then begin to think and what they actually allowed?
  92.  
  93. It is clear that in order to use Skype API, malware must somehow be delivered to your computer. Previously used for this email successfully filtered antivirus software, but many users run the executable file, it is still counted in the millions. Now, in order to send virus itself can be used Skype. Local anti-virus - the only means of defense, potentially able to repel the attack. But, if it is set to recognize a virus unknown to science, he can not even in the presence of anti-virus first freshness (heuristics while still working more on advertising than on the final result).
  94.  
  95. It is important that the Skype protocol has already been partially deciphered and made hacking tools to interact with Skype-nodes to bypass the standard Skype-client, server, and even without registration! And although at present it is limited to a simple collection of super-node addresses, there is a theoretical possibility to create their own networks based on distributed Skype-network, the main error of the developers of which is that Skype-nodes implicitly trust each other and the whole "security" is based only on the closeness of the protocol.
  96. Conclusion
  97.  
  98. Concluding the article, I would like to ask: what did the creators of Skype hidden in the depths of your code? Why, extending the program for free, they are clamped sources and use a private protocol, thereby causing distrust of security professionals? What is so fancy free software protection, reduces productivity and consuming large amounts of memory, since breaking her no one is going? Why did Skype-client is implemented as a black box?
  99.  
  100. Rhetorical questions. But it feels my tail, not casual it all!
  101. WWW
  102.  
  103.     General Skype Analysis - a mini-portal with lots of links to articles and other resources devoted to the analysis of Skype and how to combat them: http://www1.cs.columbia.edu/ ~ salman / skype.
  104.     Skype Trojan - tezisno presentation of Walter Sprenger, showing how you can use Skype-network for the distribution of worms and other infection: http://www.csnc.ch/static/download/misc/2006_skype_trojaner_v1.1.pdf.
  105.     «How to use Skype with Softice?» - An interesting article telling why Skype-client does not work when installed SoftICE and how to overcome: http://gcasiez.perso.orange.fr/skypeandsoftice.html.
  106.     «Skype Reads Your BIOS and Motherboard Serial Number» - a note in the blog, revealing the machinations, secretly done by Skype, reading the BIOS and motherboard serial number: http://www.pagetable.com/?p=27.
Language:
To highlight particular lines, prefix each line with @@