November 24th, 2014

fun with skype

Whilst poking about in my inbox for things related to skype, I found this presentation on skype internals given by Philippe Biondi (who wrote the awesome tool Scapy) and Fabrice Desclaux at BlackHat Europe this year. Being a proprietary VOIP tool, I expected skype to have some levels of obfuscation built in so that you can’t easily build a replacement client, but after reading through this presentation I was pretty amazed at everything they found and were able to subvert under the hood. Here are some of the points I found interesting:

  • o Most of the skype binary is encrypted, and it provides its own unpacker which erases the original import table as it’s loaded.
  • o Polymorphic code integrity checksums, executed randomly, and obfuscated with random lengths and random operators. They came up with a scheme with debuggers on two independent copies of skype, and relays the correct checksums back to the original modified binary. Hacktacular. They also tried binary patching and removing the entire loop, which actually increased the speed of skype, :)
  • o Anti-debuggers that attempt to identify breakpoints and trap the debugger. It also targets specific debuggers by checking for certain loaded drivers.
  • o General code obfuscation with fake error handlers that directly tweak memory and registers. After identification they were able to bypass most of this by injecting shellcode directly.
  • o Skype uses an obfuscated rc4 function for network obfuscation, not for privacy. They were able to get around this with more shellcode injection.
  • o They wrote a scapy wrapper called skypy to reassemble and decode obfuscated TCP streams and “speak skype”.
  • o They have an interesting analysis of the authentication procedure and general skype communication.
  • o They also show how to cleanly firewall off skype, which isn’t as simple as you’d think.
  • o They cover how to secede from the main skype network and put up your own.
  • o A skype botnet with the heap overflow they mention would be pretty scary as most people won’t know how to block this type of opaque network traffic

Some Biondi’s incidental tools used in the presentation are also very cool:

  • o Shellforge — This is a tool for creating #include’able shellcode from original C statements
  • o PytStop — A new (alpha) debugging engine written in python
  • o Siringe — ptrace based process injector

Leave a Response

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS