Symantec: Posted code enables VoIP spying

Along with keyloggers that track what you type, now we have to worry about malicious software that listens in on our voice over Internet Protocol conversations.

Gerry Egan

(Credit: Joris Evers/CNET)

A Symantec security blog on Thursday disclosed a new Trojan horse, Tojan.Peskyspy "that records VoIP communications, specifically targeting Skype." The posting, based on analysis from Symantec's Karthik Selvaraj, pointed out that "its existence isn't due to any problems with Skype itself" but that Skype may have been targeted "simply because it has such a large install base."

Gerry Egan, Symantec's director of security response, says the Trojan is capable of "hooking...through some Windows APIs into some audio streams" that "can be intercepted, turned into MP3 files, and then sent over a remote channel to a remote electronic eavesdropper."

A PC can be infected through the usual channels for malware, including an executable file in an e-mail you click on and a "drive by download" that's automatically triggered when you visit an infected Web site. The most recent trend, Egan said, "is a shift toward socially engineered attacks like a fake video site."

The code has been published on the Web by a Swiss researcher, Egan said, adding that "we've not seen any indications of it being used maliciously, but the published code opens up endless possibilities in the mind of a hacker."

The code would affect Skype or any other VoIP software on a Windows PC that uses an audio stream, Egan said.

Unlike most malware, Symantec does not anticipate the code being used to launch widespread attacks.

"To do this en masse really isn't practical," Egan said. Even if a "piece of malware gets on the machine of someone who is using (VoIP), and they are talking about interesting things, finding those interesting things among the many hundreds of thousands of hours of phone calls would be like trying to find a needle in a haystack." He said it might be more valuable in a targeted attack against a specific individual.

Eavesdropping is a risk, when it comes to industrial espionage, prying spouses or significant others, and political campaigns, as well as political dissidents. U.S. law requires a court order before a phone or a computer can be legally tapped by government or law enforcement officials.

The best way to avoid being infected with this or any other malware is to use good up-to-date security software and to be sure that your operating system and browser are updated. It's also a good idea to avoid clicking on e-mail attachments and consider using security software that warns you when you're about to visit a potentially malicious Web site.

You can listen to my interview with Gerry Egan here:

Listen now: Download today's podcast

[nicmart]

Macs are exempt from the threat, then, as usual?

[larrymagid]

Yes. As far as I know, this is only a Windows vulnerability.

Larry

[protagonistic]

But keep in mind that it could probably be done. Any OS can be hacked, especially through social engineering. :-)

[Vegaman_Dan]

Macs, however, connect to the internet. And thsi could be found in any Windows system along that chain. You'll never know.

[slickuser]

Most likely, Symantec might be the one who created it...

They got to keep their business running right? If no new virus/trojon, they are out of business!!!

[ikramerica--2008]

@protag

True, but it's written to intercept Windows API calls. It would need to be rewritten to intercept OS X streams, assuming they work in the same way. Sounds like it is recording the sound between the microphone and the app, and between the app and the speakers. Probably can be done on any platform.

[mbenedict]

It would be TRIVIAL to write a Mac equivalent of this trojan.

If you look at Mac programs like Audio Hijack, Call Recorder, or WireTap Pro, they essentially work the same way. All an attacker needs to do is to "wrap" this functionality into a socially-engineered trojan.

So Macs are NOT exempt from security threats, then, as usual.

[WinNoMo]

I just switched to Mac 3 months ago. For reasons such as this. I still have to worry about these things on my work network though. It's nice not to worry when I come home.

[MD_Willington]

a packet is a packet...

if someone has outside access to the media carrying your packets from a MAC then it is vulnerable...

[santuccie]

SHHH! Watch what you say; that's blasphemy to a Mac user.

[EvanSei]

targeting skype- I use google, voice, talk, and video chat. drive by downloads- anti-virus and good ol' safari stops them.

[sundance808]

its not only skype, the exploit latches on MS Windows' media API and 'listens' to the audio-stream that goes through. This means that as long as the mic is in use the exploit can potentially tap in.

[luc_vdv]

Targeting whatever? An exploit that taps into the audio stream of a connected microphone can probably just as easily be written for any other OS that supports audio, but that's not the point.

Have you ever seen one of those old spy movies where the bad guy inserts an RF transmitter into a POTS telephone handset?
What we're seeing here is almost akin to attacking the phone company for not preventing the use that kind of bug. And it's almost just as ridiculous too, in my opinion.

The issue isn't that this trojan shouldn't be able to function the way it does, the issue is that it shouldn't be installed on someone's system - and that shifts the responsibility to where it belongs.

It's a trojan, for crying out loud. ANY application can be made into a trojan, all it takes is to convince someone that it does something else than it really does, and get him to install it. Does that mean we have to remove ALL functionality from every OS? Someone might create a trojan that erases files, so you know what, we're going to demand that Microsoft remove the ability to delete any files from the Windows API's. Problem Fixed. Apple and Linux don't suffer from it, of course, because there files can only get deleted when you WANT them to.

[Vegaman_Dan]

This isn't exactly news. VoIP has never been known for security- it's eceedingly easy to intercept, do man in the middle, etc.

Considering how poor VoIP services are usually in real use for dropped packets, connections lost, etc, I'm not sure it will affect many. :/

[Lerianis3]

Are you joking? Most people who have switched totally to VoIP have said that their connections are usually JUST AS GOOD as with a regular phone company telephone.

[mbenedict]

It's not "eceedingly easy" (sic) to intercept / do man-in-the-middle attacks with VoIP.

It's must easier to intercept POTS calls rather than VoIP calls, because VoIP calls tend to be encrypted.

Hence the need for a trojan, to "listen in" at the source or destination before the the channel is encrypted (or after decryption).

In most large enterprises, VoIP is already the norm. For big corporations, not paying "Ma Bell" for inter-office calls (easily in the multi-million minutes / year category) is a no-brainer when they already have IP infrastructure which can be upgraded to do the same.

[sitponiya]

sitponiyaaadil@ymail.com

[Ian Rodriguez]

So, this makes no sense as a consumer based attack BUT...
The overall implication of this in the world of espionage is enormous. Drop this code on a laptop of a CEO of a company or on the laptop of a terrorist and now you can intercept all their calls once thought to be "protected".

[mbenedict]

In the world of espionage, this is old news. See for example:

http://www.boingboing.net/2008/01/26/german-govt-caught-b.html

"Documents on Wikileaks show that the German (Bavarian) government had planned to release trojans -- malware -- designed to allow them to intercept Skype calls. The leaked documents include wrangling over the pricing and payment for the malicious software."

[inachu1]

This code can be made for any computer but it is a basic man in the middle attack or in this case application in the middle copying the sound before it gets into skype to be encrypted.
Heck many sound tools software programs can do that.

[Michichael]

Um... duh? Code/exploits targetting VoIP have been around since 2008...

[runger56]

Centralized security always allows for a singular vector of attack. How about this:
- provide multiple factors of identification and authentication
- let users manage encryption keys
- never send keys with the payload
- allow key rotation
- allow multiple ciphers in the same communications session

Let the men in the middle take that.

Peter Rung
www.mykryptofon.com

[kannuc]

Wonder if this is affecting MagicJack as much as Skype. They claim they're adding 1/4 million new subscribers per month now