New Trojan Snags Skype Calls on Windows PCs

A new Trojan is recording Skype phone calls on Windows PCs, security research firm Symantec (NASDAQ: SYMC) reported today.

“What we’re looking at is something that could be considered the first ‘wiretap Trojan,'” Symantec’s Intel Security Team wrote in a blog post.

Symantec’s analysis found that the Trojan, which it dubbed “Trojan.Peskyspy,” can record audio on a computer such as Skype calls, store the file locally as an encrypted mp3 and then relay it back to the hacker.

Trojan.Peskyspy is designed to beat Skype’s encryption, Symantec found. “Since the Trojan listens to the data coming to and from the audio devices, it gathers the audio independently of any application-specific protocols or encryption applied by Skype when it passes voice data at the network level,” the company said.

The virus can attack the Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003 and Windows 2000 operating systems.

The Trojan does not exploit a Windows flaw, a Microsoft spokesperson told “Trojan.Peskyspy does not exploit any security vulnerability, but rather relies on user interaction in which the user would need to install/execute an application.”

To avoid Trojans, “users should exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Equally important, users should avoid visiting un-trusted websites as they could possibly be malicious in nature prompting one to download and run a dangerous executable,” she said.

Altering an applications behavior

“The Trojan is targeting Windows API hooks, a technique used to alter the planned behavior of an application, that Microsoft has intended to be used by audio applications,” Symantec said.

On infected systems, it attempts to bypass certain firewall processes, potentially opening up a limited back door that would allow the attacker to send the recorded calls to a predetermined location, download an updated version of the Trojan, and delete the Trojan from the compromised computer, according to Symantec.

While the Trojan appeared to initially target Skype calls, Symantec’s Intel Security Team said that this attack could work against any popular VoIP application.

“We’d like to point out that its existence isn’t due to any problems with Skype itself,” the researchers said. “In this case, Skype has simply become a victim of its own popularity, most likely being targeted simply because it has such a large install base. This threat could just have easily been crafted to take advantage of any one of the myriad of other VoIP applications, and it’s likely we’ll see other threats in the future that do just that.”

Microsoft and eBay, Skype’s parent company, did not immediately respond to requests for comment on the Trojan.

Symantec said that the Trojan is more of a proof of concept than an immediate threat. Anyone with current anti-virus protection will be safe, and the Trojan is not designed to spread by itself.

“In terms of impact, we don’t see this threat gaining much of a foothold out in the wild,” Symantec said. “What we’ve seen is largely proof-of-concept and does not contain any method to spread from one computer to another. However, it is possible that we will see variations on this Trojan theme in the future. With this in mind we recommend keeping your virus definition and IPS signatures up-to-date.”

“Someone has to install it themselves or use another piece of malware or social engineering to install it on a PC,” Kevin Haley, director of Symantec Security Response, told

Although the threat is minimal now, that could change. “It is common today for one piece of malware to install another piece of malware,” Haley said.

He added that most criminals don’t have the time to sift through hundreds of thousands of mp3 files, so the Trojan would likely be used only in a targeted attack.

What enteprises need to consider

Enterprise IT managers should therefore think about how valuable information is used on the phone in their own company.

“They need to ask, ‘is this a threat I’ve thought about? Do people want to target my call center? Do people want to target my executives? Are my executives aware of security best practices,” said Haley.

It’s another case where an open architecture designed for the good guys is being taken advantage of by the bad guys, according to Haley. “The bad guys will always look to take advantage of things, in the real world as well as in the online world. This should reinforce to your readers that they should have security software on their computer.”

Update adds comments by Kevin Haley, director of Symantec Security Response and by a Microsoft spokesperson.

News Around the Web