david wood microsoft malware protection center, australia [email protected]
TRANSCRIPT
The Skype is No Longer the Limit
David WoodMicrosoft Malware Protection Center, [email protected]
New Ways Malware Keeps In Touch With Your Friends
OverviewWhy Skype and Twitter are attractive to malware writersDemonstrationSkype and Twitter malwareSecurity
Skype & Twitter are Popular
Skype – In the first half of 2010At peak times 23 million users online6.4 billion min of calls to mobiles & landlines88.4 billion min of Skype-to-Skype calls40 % of these are video calls
Twitter – in September 2010145 million registered users 90 million tweets per day1 billion tweets via SMS per month (April 2010)300 000 third party applications
Potential Gain
Personal InformationConversation historiesList of contactsPhone numbersSkype accounts may have monetary value
Could be used for calls or SMS
Social Engineering
Messages appear like they are from trusted sourcesTwitter status updates are short
Messages don’t contain much detailAddresses obfuscated by URL shorteners
Possibility of appearing in the context of an existing Skype text chat
Search public tweets Trending topic informationStatus updatesListsDirect messagesAdd/remove followersEdit Profile
FavoritesDevice notificationsLocation informationBlock/unblock usersReport spam
Comprehensive APIs - Twitterhttp://apiwiki.twitter.com/Twitter-API-Documentation
Twitter Third Party Applications
Communicate with Twitter using HTTP requests
eg Show whether @bob follows @alicehttp://api.twitter.com/1/friendships/show.xml?source_screen_name=alice&target_screen_name=bob
Need to authenticate the user whenReading non-publicly available informationUpdating informationDestroying information
Comprehensive APIs – Skype
http://www.skype.com/resources/public_api_ref.zipUser informationContact informationVoice and video callsInput/output sourceText chatsManage contactsContact groupsSMSCall forwarding
VoicemailCustom menu itemsCommunication between remote applicationsFile transfer windowsKeyboard eventsLogs and historiesWindow focusSilent Mode
Skype Third Party ApplicationsSkypeControlAPIDiscov
er
Skype Client User
Request
Allow/DenySkypeControlAPIAtta
ch
WM_COPYDATA“Search Friends”
WM_COPYDATA“USERS echo123, bob”
SkypeControlAPIAttach
Third Party App
Skype ToolsWrappers
Skype4COM, Skype4Py, Skype4JavaTracer.exe
http://developer.skype.com/resources/Tracer.exe
Demonstration
Get Access to Skype
Happy Birthday!
Happy Birthday!
Adding a Menu Item
Adding a Menu Item
Silent Mode
Disables visible display of calls, messages, and other events
Change the Audio Input Source
Remote Applications
Remote ApplicationsLocal Remote
Malware’s use of Skype
ThreatSpread
Spam
Steal Info
Skype4COM
Skype API
Keyboard/ Mouse Events
Hook Windows APIs
VBS/Skypams
Latchiwire
PeskySpy
Pushbot
Pykspa
Rimecud
Slenfbot
Sohanad
Spector
Stration
Payload Method of Accessing Skype
Malware’s use of Twitter
ThreatSpread
Steal Auth Token
Command & Control
XSS Vuln
Twitter API
Paste to Window
Steal Auth Token
JS/Twitime
JS/Twitini
JS/Twooken
MSIL/Twooeebot
Win32/Koobface
Win32/Pykspa
Win32/Svelta
Win32/Worksud
Payload Method of Accessing Twitter
Skype Malware Example
Spammer:VBS/Skypams
Worm:Win32/Pykspa
Automatically dismiss “Allow Access” dialog
Enumerate windows searching for tskAclFormSpams localized messages
Queries client for preferred languageCollects information – user & public contacts
Name, gender, DOB, location, phone numbers, online status, video capabilities, mood textPSTN account balance, chat history, current calls
Worm:Win32/Pykspa cont’d
Hang up current callsChange online statusTransfers filesUse API strings later supplied by backdoor’s controllerSpreads via Twitter
Searches for open windows with title containing TwitterSends messages supplied by backdoor’s controller
New Functionality for Old Families
Win32/Slenfbot and Win32/PushbotRecently added Skype spreadingUses only keyboard and mouse events, and not the Skype APIsSame approach as for instant messaging programs
Win32/KoobfaceTwitter spreadingExtracts authenticity token from cookieSame approach as for social networking sites
Twitter Malware - Win32/Svelta
Uses Twitter for command and controlGets timeline from malicious accountBase 64 encoded URLs for other componentsaHR0cDovL2JpdC5seS9MT2ZSTyBodHRwOi8vYml0Lmx5L0ltZ2“http://bit.ly/LO*** http://bit.ly/Im***”
Accounts usually suspended quickly
Twitter Malware - JS/Twitini
Gets trending data for previous weekhttp://search.twitter.com/trends/weekly.json?
callback=c&exclude=hashtagsUses algorithm to generate a domain
Current dateFirst letter of previous day’s top trending topic
Authors register the same domain Script can download malware from there
Skype Security
Strong encryption for Internet component of communication
256 bit AES with 1024 bit RSA for key negotiation
Non-clickable links in contact requestsGreyed out OK button for Silent Mode dialogUser Guidelines
Twitter Security
Deprecation of HTTP Basic Authentication
Oauth used for authenticationRate LimitingPIN for SMS status updateURL Shortening service – t.co
Blocks known malicious linksMay re-expand URLs
Spam, phishing and malware tracking systems
Conclusions
Skype and Twitter are an attractive target for malwareDifficult for Skype or Twitter to completely protect against actions of an infected systemBoth have taken steps to mitigate certain techniques, but malware writers work around theseUsers need to be vigilant
