EH-Net

In a recent article titled "Networks beware: Skype 3.0 includes new cloaking technology" http://www.computerworld.com/blogs/node/4174#comment-24056 (http://www.computerworld.com/blogs/node/4174#comment-24056) in Computer World the author (Preston Gralla) states "[Skype] may present a backdoor through which hackers can crawl..."

I have commented to the article and asked that the author clarify but with no response.  I was wondering if anybody here had heard about this and how it is accomplished.

I know that for P2P there may be some extra network traffic but I believe this is a part of the local application.  Unless some types of logs are kept and they can be harvested remotely I am not sure how this can be done.

It would be interesting to find out other wise.

I'm sure it would be possible to utilize Skype, especially with this new encrypted UDP traffic, as a covert channel. You could either use a skype specific exploit, which would be in high demand. I bet people are running fuzzers right now against this new code for buffer overflows. Or you could use some email or IM trickery to get the user to initiate a skype connection to you. Either way the network security admin either won't see it because its encypted or just ignore it as regular skype traffic.

Skype penetrates firewalls/NAT by fooling stateful detection... could that be what they are referring to?  It also will try to guess at the port that will be used for an outgoing connection by causing an outgoing connection and then portscanning the range above that port in the case of incremental port numbers being used by the firewall/NAT software.

Apparently (according to the article linked in the article you linked) they have changed those behaviors to make them less likely to be fingerprinted.  That could ceertainly make it harder to tell whether it's valid Skype traffic, or whether it's allowable traffic at all, depending if you allow Skype on your network.

From what I understand because the Skype client in already behind the firewall it has an established connection already and this is why it can work thought firewalls and NAT. Just like your messengers or any other client side connection software. Skype is not tricking your firewall it is just keeping a path open. Now it could be jumping around on random outbound ports to lessen the chance of Man-in-the-middle-attacks being able to collect passwords or record the calls. A lot of different software dose established connections to have a path from a privet network to there servers. This is the idea behind a lot of Trojan horses because with a firewall set to "default deny" or "explicit deny" it will only allow established connections to pass. The biggest issue with all the different client messageing/voip software is that there can be all kinds of Trojan like activity and you might not know till it's too late. I would say just keep you eye out and make sure to only use software you trust.

Slimjim100

(sorry if I got to far off topic)

I think that it is very important to understand just how certain applications work within our environments.  Especially those with channels that are encrypted with a proprietary algorithm.  And now that our fears of skype becoming a malware distribution agent have come to fruition (i.e. http://isc.sans.org/diary.php?storyid=1952 (http://isc.sans.org/diary.php?storyid=1952) and http://www.websense.com/securitylabs/blog/blog.php?BlogID=101 (http://www.websense.com/securitylabs/blog/blog.php?BlogID=101)) I think that more people are going to become concerned.

It is interesting to learn about the outbound characteristics of this application.  I suppose that one way to determine the ports that are permitted to egress the network could be determined by the skype client.  The benefit I see from this is that you would be masking network scans so that they do not appear to be normal enumeration tools.  I'll have to see if the client keeps a log of this that can be viewed by the user or if some other type of interface monitoring is required.

Thanks for the input on this one.  Keep the thread running is you have more.

This application is tricky.  It uses any available TCP port it can use.  If one is blocked, it keeps going until one is open.  Thi causes headaches for security admins.  We use SMS to monitor if Skype (application) is installed on a pc and use web filtering blocking all of the sites that you can install Skype from.

Here's an article to add to the conversation:

http://www.heise-security.co.uk/articles/82481

Don

Nice Article don!

            I can say that Sonicwall Firewalls (which I do not like too much) do block this kind of UDP hole punching. I have seen with Skype and Hamachi you have to have a relay to get a connection when traversing though a Sonicwall firewall. I am also sure the Netscreen firewalls block UDP scanning by default too but both of the firewalls I just mentioned are not your basic NAT firewall but slightly more advanced firewalls will a few extra bells and whistles. Anyway it was a very good article and it inspired me to break out my ethereal /wireshark and do some sniffing. It's amazing the load of crap traffic all the little IM/P2P/VoIP clients throw around your network!

Slimjim100

If you are in need of security you would not allow any encrypted traffic into your network - be it skype or any other app.

Terminate any encrypted channel at your perimeter if you really need security, otherwise you'll always be in big trouble....