December 19, 2006
Okay, so there's no such thing as a good worm, and I truly believe that. Still, thanks to the Chatosky worm, I did uncover some things about the Skype service that I might not otherwise have known.
Skype is an Internet phone service that allows you to make calls over the Internet for little or no charge. Skype also has a chat feature that made headlines in December 2006 after becoming the target of the Chatosky worm which sends itself as a link to random Skype chatters. Recipients must agree to accept the link, after which a password stealing Trojan is downloaded onto their system.
The site hosting the Trojan was taken down long before the malware made headlines, and overall these are fairly predictable malware behaviors (other than the random discovery of chat users). What really makes W32.Chatosky of interest are the details of how the Skype chat program works, discovered while researching the malware.
Skype spreads the load
When Skype person A chats with Skype person B, it's hard to say who else might be involved. This goes beyond the normal risks of online chat privacy - the chat may actually be deliberately sent to others. The first clue lies in this little tidbit found in the community support forum on the Skype website:
"So, let's say users A and B want to send IM's between themselves. If both A and B are behind a NAT or a restrictive firewall, then A can't directly connect to B and B can't directly connect to A...In this case, A connects to you (C) and B connects to you (C), just briefly, to exchange messages. These hosts then disconnect and spread the load across a number of computers."
No matter how briefly 'just briefly' signifies, the fact is that C has now been made privy to the conversation between A and B. So who is C? From the sounds of it, it could be anybody. In particular, anybody who doesn't use a firewall - which doesn't say much about their overall security posture. What happens if C is a zombie machine? Can the bot herder capture the Skype chat communications between A and B and other Skype chat attempts in its virtual vicinity? And what exactly does "spread the load across a number of computers" mean? Just how many other parties are potentially privy to your communications? Distributed networks might work well for filesharing or data crunching, but do you really want your private communications handled that way?
Skype access API
And what about A or B? Can they deliberately trick C (or one of the unexplained 'load balancing systems' into doing something? Hard to say, but the description of how Skype chat communicates was posted to the Skype help forum by Kurt Sauer, Director of Security Operations for Skype in response to a post complaining their antivirus software had "detected a remote system that is attempting to access Skype.exe on your computer."
So if Skype.exe is really readily accessible on strangers' computers, what can be done with it? I found this on the 'Developer Zone' section of the Skype website:
The Skype access API enables external applications to control certain Skype functions, for example to place a call or to get a Skype user profile. In the interests of privacy and security, before an external application can take control, Skype pops up the name of the application to the user and asks if it is OK to allow access.
Somehow, I find it ironic that Skype mentions 'in the interests of privacy and security', but I digress. Back to the main point, doesn't this API behavior sound a lot like what the W32.Chatosky malware was doing? According to Skype, as quoted on the Sunbelt blog, it certainly is: "the behavior of this Trojan using the Skype API is as per the specifications of the API."
So Skype chat, and perhaps even their phone service, sends communications intended for one person through the computers of strangers. And the API that handles those comms is deliberately programmed to allow at least some remote manipulation. No wonder they give it away for free.
