Malware, Security Strategy, Plan, Budget

Skype snooping trojan detected

Updated Monday, August 31, 2009 at 9:48 a.m. EST

Source code for a new trojan has been released that has the ability to snoop on phone calls over the popular voice over IP (VoIP) program Skype.

Ruben Unteregger, a Swiss software engineer formerly with the software development company ERA IT Solutions, released the source code for the trojan Tuesday. Unteregger provided details about the trojan on his blog, Megapanzer, which he said can “...intercept all audio data coming and going to the Skype process.”

“What we're looking at is something that could be considered the first ‘wiretap trojan,'” Karthik Selvaraj, an analyst at Symantec Security Response Team, wrote in a blog post Thursday.

The code, identified as Trojan.Peskyspy, has the ability to record audio from Skype calls, convert the audio to an MP3 file, encrypt it and send it back to the attacker, Symantec said.

“What this threat is doing is actually grabbing the sound coming from the audio devices plugged into the computer,” Selvaraj wrote. “It does this by hooking various Windows API calls that are used in audio input and output.”

The trojan sniffs inbound and outbound audio as it travels between the PC's audio device and Skype, Selvaraj explained. Outbound audio coming from a user's microphone is captured before it even reaches Skype, and inbound audio is captured after it leaves Skype, but before it reaches the PC's speakers.

“It gathers the audio independently of any application-specific protocols or encryption applied by Skype when it passes voice data at the network level,” Selvaraj said. “Essentially, it sits below these security measures, recording the audio at the Windows level.”

The trojan does not rely on any issue in Skype itself and could potentially be crafted to exploit any VoIP program, Selvaraj said.

Though source code became publicly available Tuesday, Unteregger told German news outlet that the trojan actually had been in development since at least 2006.

As of now, the trojan has not been identified in the wild, Kevin Haley, director of Symantec Security Response, told on Friday. But now that source code has been released, there is a potential that attackers could add this trojan to their exploits.

The source code does not have any means of propagating itself, so an attacker would have to use social engineering to trick a user into installing it, or have physical access to the machine they wish to infect.

“For the most part, this is a tool that would be used in a targeted way at someone,” Haley said.

A Skype spokesperson told in an email statement Friday that Skype's Information Security team is aware of Trojan.Peskyspy.
"Skype strongly recommends that users follow security best practices like maintaining an up-to-date anti-virus program, using a personal firewall and ensuring that their computer is current with patches to help defend against attacks such as this."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.