January 25, 2006 5:41 PM PST

Skype could provide botnet controls

Related Stories

Bots may get cloak of encryption

November 14, 2005

ISPs versus the zombies

July 19, 2005

Hacking for dollars

July 6, 2005

Feds to fight the zombies

May 23, 2005

Alarm growing over bot software

April 30, 2004
Internet phone services such as Skype and Vonage could provide a means for cybercriminals to send spam and launch attacks that cripple Web sites, experts have warned.

Moreover, because many voice over Internet protocol applications use proprietary technology and encrypted data traffic that can't easily be monitored, the attackers will be able to go undetected.

"VoIP applications could provide excellent cover for launching denial-of-service attacks," the Communications Research Network said Wednesday. The Communications Research Network is a group of industry experts, academics and policy makers funded by the Cambridge-MIT Institute, a joint venture between Cambridge University and the Massachusetts Institute of Technology.

The group urges VoIP providers to publish their routing specifications or switch to open standards. "These measures would...allow legitimate agencies to track criminal misuse of VoIP," Jon Crowcroft, a professor at Cambridge University in the U.K., said in a statement.

Essentially, some of the features to protect VoIP applications can now be used maliciously, Crowcroft said. "While these security measures are in many ways positive, they would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks," he said.

In a denial-of-service attack, a flood of information requests is sent to a Web server, bringing the system to its knees and making it difficult or impossible to reach. Today, such attacks often involve many hacked computers, so-called "zombies," that have been networked in a so-called "botnet."

Cybercriminals rent out use of their botnets on the black market. About 60 percent of the world's spam is sent through such compromised computers, and the zombies are also used in extortion schemes where a Web site owner is told to pay or face a denial-of-service attack.

Botnets are typically controlled by an attacker via Internet Relay Chat. Zombies listen for instructions from their masters on IRC channels. Investigators monitor those channels to help catch cybercriminals, and Internet service providers can block traffic to the IRC servers used by zombies in order to thwart attacks, experts have said.

VoIP applications such as eBay's Skype and Vonage could give cybercriminals a better way of controlling their zombies and covering their tracks, the Communications Research Network said. "If the control traffic were to be obfuscated, then catching those responsible for DoS attacks would become much more difficult, perhaps even impossible," the group said in a statement.

There has yet to be an instance of an online attack launched through a VoIP application, but the Communications Research Network believes it is only a matter of time. "If left unresolved, this loophole in VoIP security won't just decrease the likelihood of (attack) detection and prosecution, it could also undermine consumer confidence in VoIP," the group said.

Communications Research Network contacted VoIP providers with its concerns, it said. Skype and Vonage did not immediately respond to a request for comment.


Join the conversation!
Add your comment
Sounds like a gov spy plot by chicken little
to convince all the VOIP firms to hand over their encryption secrets and put back doors into their products for the goverment to control. Somewhat like Homeland Security and nailclippers being banned on airplanes becuase they might somehow be a terrorist weapon. Anything can become a terrorist weapon.
Posted by likes2comment (101 comments )
Reply Link Flag
Proof of concept?
How would skype communicate to a computer without their software since they run their own protocol?

Posted by kieranmullen (1070 comments )
Reply Link Flag
NSA Crying again...
this sounds like NSA wants to dip their little fingers where they don't belong again. Every once of privacy taken away until we all live in a police state.
Posted by MrTeo (7 comments )
Reply Link Flag
The Skype Is Falling, The Skype Is Falling
Why go to the trouble of piggybacking off Skype to control botnets? This presupposes that Skype is already installed on the compromised computer. Why not simply install your own encrypted protocol after penetrating the computer? Who the heck needs Skype or other VoIP, along with all that overhead.

This story is yet another example of an "expert" on somebody's payroll whooping up panic to further some secret agenda. By the way, I thought by now the global flu pandemic was supposed to have hit and killed a few billion of us.
Posted by Stating (869 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.