Your SlideShare is downloading. ×
0
Skype protections                              Skype seen from the network                         Advanced/diverted Skype...
Skype protections                              Skype seen from the network                         Advanced/diverted Skype...
Skype protections                              Skype seen from the network                         Advanced/diverted Skype...
Skype protections                              Skype seen from the network                         Advanced/diverted Skype...
Skype protections                              Skype seen from the network                         Advanced/diverted Skype...
Skype protections                                       Skype seen from the network                                  Advan...
Skype protections                              Skype seen from the network                         Advanced/diverted Skype...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                           Skype protections                                                ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Binary packing                                         Skype protections                                                  ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                           Skype protections                                     ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                             Skype protections                                   ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                           Skype protections                                     ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Skype network obfuscation                                         Skype protections                                       ...
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Silver needle in Skype
Upcoming SlideShare
Loading in...5
×

Silver needle in Skype

508

Published on

Philippe BIONDI and Fabrice DESCLAUX @ Blackhat Europe 2006

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
508
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Silver needle in Skype"

  1. 1. Skype protections Skype seen from the network Advanced/diverted Skype functions Silver Needle in the Skype Philippe BIONDI Fabrice DESCLAUX phil(at)secdev.org / philippe.biondi(at)eads.net serpilliere(at)rstack.org / fabrice.desclaux(at)eads.net EADS Corporate Research Center — DCR/STI/C IT sec Lab Suresnes, FRANCE BlackHat Europe, March 2nd and 3rd , 2006Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 1/98
  2. 2. Skype protections Skype seen from the network Advanced/diverted Skype functions Outline 1 Context of the study 2 Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation 3 Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype 4 Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands 5 ConclusionPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 2/98
  3. 3. Skype protections Skype seen from the network Advanced/diverted Skype functions Problems with Skype The network view From a network security administrator point of view Almost everything is obfuscated (looks like /dev/random) Peer to peer architecture many peers no clear identification of the destination peer Automatically reuse proxy credentials Traffic even when the software is not used (pings, relaying) =⇒ Impossibility to distinguish normal behaviour from information exfiltration (encrypted traffic on strange ports, night activity) =⇒ Jams the signs of real information exfiltrationPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 3/98
  4. 4. Skype protections Skype seen from the network Advanced/diverted Skype functions Problems with Skype The system view From a system security administrator point of view Many protections Many antidebugging tricks Much ciphered code A product that works well for free (beer) ?! From a company not involved on Open Source ?! =⇒ Is there something to hide ? =⇒ Impossible to scan for trojan/backdoor/malware inclusionPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 4/98
  5. 5. Skype protections Skype seen from the network Advanced/diverted Skype functions Problems with Skype Some legitimate questions The Chief Security Officer point of view Is Skype a backdoor ? Can I distinguish Skype’s traffic from real data exfiltration ? Can I block Skype’s traffic ? Is Skype a risky program for my sensitive business ?Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 5/98
  6. 6. Skype protections Skype seen from the network Advanced/diverted Skype functions Problems with Skype Idea of usage inside companies ? At least 700k regularly used only on working days. 6e+06 5.5e+06 5e+06 4.5e+06 connected 4e+06 3.5e+06 3e+06 2.5e+06 2e+06 0 500 1000 1500 2000 2500 timePhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 6/98
  7. 7. Skype protections Skype seen from the network Advanced/diverted Skype functions Problems with Skype Context of our study Our point of view We need to interoperate Skype protocol with our firewalls We need to check for the presence/absence of backdoors We need to check the security problems induced by the use of Skype in a sensitive environmentPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 7/98
  8. 8. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Outline 1 Context of the study 2 Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation 3 Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype 4 Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands 5 ConclusionPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 8/98
  9. 9. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Encryption Avoiding static disassembly Some parts of the binary are xored by a hard-coded key In memory, Skype is fully decrypted Skype Binary Decryption Procedure: Each encrypted part of the binary will be decrypted at run time. Clear part Encrypted partPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 9/98
  10. 10. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Structure overwriting Anti-dumping tricks 1 The program erases the beginning of the code 2 The program deciphers encrypted areas 3 Skype import table is loaded, erasing part of the original import table Code Erased code Erased code Erased code Transition code Transition code Transition code Transition code Ciphered Ciphered Deciphered Deciphered code code code code Original Original Original Original import table import table import table import table Skype import tablePhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 10/98
  11. 11. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Unpacking Binary reconstruction Skype seems to have its own packer. We need an unpacker to build a clean binary 1 Read internal area descriptors 2 Decipher each area using keys stored in the binary 3 Read all custom import table 4 Rebuild new import table with common one plus custom one in another section 5 Patch to avoid auto decryptionPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 11/98
  12. 12. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Unpacking Erased code Erased code Transition code Modified Transition code Deciphered Deciphered code code Original Old original import table import table Skype Old Skype import table import table New full import tablePhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 12/98
  13. 13. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Some statistics Ciphered vs clear code Legend: Code Data Unreferenced code Ciphered vs clear code Libraries used in hidden imports KERNEL32.dll 674 classic imports WINMM.dll 169 hidden imports WS2 32.dll RPCRT4.dll ...Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 13/98
  14. 14. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Outline 1 Context of the study 2 Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation 3 Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype 4 Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands 5 ConclusionPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 14/98
  15. 15. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Checksumers scheme in Skype Checksumers scheme Checker 1 Checker’ 1 Checker 2 Checker’ 2 Code Checker .. Checker’ ... Checker N Checker’ N Main scheme of Skype code checkersPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 15/98
  16. 16. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation start : xor edi , edi add e d i , Ox688E5C mov eax , Ox320E83 xor eax , Ox1C4C4 mov ebx , eax add ebx , OxFFCC5AFD loop start : mov ecx , [ e d i+Ox10 ] jmp lbl1 db Ox19 lbl1 : sub eax , e c x sub edi , 1 dec ebx jnz loop start jmp lbl2 db Ox73 lbl2 : jmp lbl3 dd OxC8528417 , OxD8FBBD1 , OxA36CFB2F , OxE8D6E4B7 , OxC0B8797A db Ox61 , OxBD lbl3 : sub eax , Ox4C49F346Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 16/98
  17. 17. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Semi polymorphic checksumers Interesting characteristics Each checksumer is a bit different: they seem to be polymorphic They are executed randomly The pointers initialization is obfuscated with computations The loop steps have different values/signs Checksum operator is randomized (add, xor, sub, ...) Checksumer length is random Dummy mnemonics are inserted Final test is not trivial: it can use final checksum to compute a pointer for next code part.Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 17/98
  18. 18. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Semi polymorphic checksumers But... They are composed of A pointer initialization A loop A lookup A test/computation We can build a script that spots such codePhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 18/98
  19. 19. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Global checksumer scheme Each rectangle represents a checksumer An arrow represents the link checker/checked In fact, there were nearly 300 checksumsPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 19/98
  20. 20. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation How to get the computed value Solution 1 Put a breakpoint on each checksumer Collect all the computed values during a run of the program J Software breakpoints change the checksums ² We only have 4 hardware breakpoints =⇒ Twin processes debugging Solution 2 Emulate the codePhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 20/98
  21. 21. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Twin processes debugging 1 Put software breakpoints on every checksumers of one process 2 Run it until it reaches a breakpoint 3 Put 2 hardware breakpoints before and after the checksumer of the twin process 4 Use the twin process to compute the checksum value 5 Write it down 6 Report it into the first process and jump the checksumer 7 Go to point 2Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 21/98
  22. 22. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Twin processes debugging Process 1 Soft Hard Process 2 Twin Debugger PCPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 22/98
  23. 23. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Twin processes debugging Process 1 Soft Hard Process 2 Twin Debugger PCPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 22/98
  24. 24. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Twin processes debugging Process 1 Soft Hard Process 2 Twin Debugger PCPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 22/98
  25. 25. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Twin processes debugging Twin processes debugger using PytStop [PytStop] import pytstop checksumers = { s t a r t : stop , ... } p = p y t s t o p . s t r a c e ( " / usr / bin / skype " ) q = p y t s t o p . s t r a c e ( " / usr / bin / skype " ) f o r bp i n checksumer . k e y s ( ) : p . s e t b p ( bp ) while 1: p . cont ( ) hbp = q . s e t h b p ( c h e c k s u m e r s [ p . e i p ] ) q . cont ( ) q . d e l h b p ( hbp ) p r i n t " Checksumer at %08 x set eax =%08 x " % ( p . e i p , q . eax ) p . eax = q . eax p . eip = q . eipPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 23/98
  26. 26. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Checksum execution and patch Solution 2 1 Compute checksum for each one 2 The script is based on a x86 emulator 3 Spot the checksum entry-point: the pointer initialization 4 Detect the end of the loop 5 Then, replace the whole loop by a simple affectation to the final checksum value =⇒ Each checksum is always correct ... And Skype runs faster! ©Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 24/98
  27. 27. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation start : start : xor edi , edi xor edi , edi add e d i , Ox688E5C add e d i , Ox688E5C mov eax , Ox320E83 mov eax , Ox320E83 xor eax , Ox1C4C4 xor eax , Ox1C4C4 mov ebx , eax mov ebx , eax add ebx , OxFFCC5AFD add ebx , OxFFCC5AFD loop start : loop start : mov ecx , [ e d i+Ox10 ] mov ecx , [ e d i+Ox10 ] jmp lbl1 jmp lbl1 db Ox19 db Ox19 lbl1 : lbl1 : sub eax , e c x mov eax , Ox4C49F311 sub edi , 1 nop dec ebx [ ... ] jnz loop start nop jmp lbl2 jmp lbl2 db Ox73 db Ox73 lbl2 : lbl2 : jmp lbl3 jmp lbl3 dd OxC8528417 , OxD8FBB [ . . . ] dd OxC8528417 , OxD8FBB [ . . . ] db Ox61 , OxBD db Ox61 , OxBD lbl3 : lbl3 : sub eax , Ox4C49F346 sub eax , Ox4C49F346Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 25/98
  28. 28. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Last but not least Signature based integrity-check There is a final check: Integrity check based on RSA signature Moduli stored in the binary lea eax , [ ebp+v a r C ] mov edx , o f f s e t " 65537 " call str to bignum lea eax , [ ebp+v a r 1 0 ] mov edx , o f f s e t " 3 8 1 3 3 5 9 3 1 3 6 0 3 7 6 7 7 5 4 2 3 0 6 4 3 4 2 9 8 9 3 6 7 5 1 1 ... " call str to bignumPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 26/98
  29. 29. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Outline 1 Context of the study 2 Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation 3 Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype 4 Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands 5 ConclusionPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 27/98
  30. 30. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Counter measures against dynamic attack Counter measures against dynamic attack Skype has some protections against debuggers Anti Softice: It tries to load its driver. If it works, Softice is loaded. Generic anti-debugger: The checksums spot software breakpoints as they change the integrity of the binary Counter counter measures The Rasta Ring 0 Debugger [RR0D] is not detected by SkypePhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 28/98
  31. 31. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Binary protection: Anti debuggers The easy one: First Softice test mov eax , o f f s e t s t r S i w v i d ; " . Siwvid " call test driver t e s t al , a l Hidden test: It checks whether Softice is in the Driver list c a l l EnumDeviceDrivers ... c a l l GetDeviceDriverBaseNameA ... cmp eax , ’ ntic ’ jnz next cmp ebx , ’ e.sy ’ jnz next cmp ecx , ’s x00 x00 x00 ’ jnz nextPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 29/98
  32. 32. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Binary protection: Anti debuggers Anti-anti Softice IceExt is an extension to Softice cmp e s i , ’ icee ’ jnz short next cmp e d i , ’ xt.s ’ jnz short next cmp eax , ’ ys x00 x00 ’ jnz short next Timing measures Skype does timing measures in order to check if the process is debugged or not call gettickcount mov g e t t i c k c o u n t r e s u l t , eaxPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 30/98
  33. 33. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Binary protection: Anti debuggers Counter measures When it detects an attack, it traps the debugger : registers are randomized a random page is jumped into It’s is difficult to trace back the detection because there is no more stack frame, no EIP, ... pushf pusha mov save esp , esp mov esp , ad alloc? add esp , random value sub esp , 20 h popa jmp random mapped pagePhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 31/98
  34. 34. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Binary protection: Anti debuggers Solution The random memory page is allocated with special characteristics So breakpoint on malloc(), filtered with those properties in order to spot the creation of this page We then spot the pointer that stores this page location We can then put an hardware breakpoint to monitor it, and break in the detection codePhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 32/98
  35. 35. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Outline 1 Context of the study 2 Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation 3 Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype 4 Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands 5 ConclusionPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 33/98
  36. 36. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Protection of sensitive code Code obfuscation The goal is to protect code from being reverse engineered Principle used here: mess the code as much as possible Advantages Slows down code study Avoids direct code stealing Drawbacks Slows down the application Grows software sizePhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 34/98
  37. 37. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Techniques used Code indirection calls sub 9F8F70 : mov eax , 9FFB40h mov eax , [ e c x +34h ] sub eax , 7 F80h push esi mov edx , 7799 C1Fh mov e s i , [ e c x +44h ] mov ecx , [ ebp −14h ] sub eax , 292 C1156h call eax ; s u b _ 9 F 7 B C 0 add e s i , eax neg eax mov eax , 371509EBh add eax , 19 C87A36h sub eax , edx mov edx , 0CCDACEF0h mov [ e c x +44h ] , e s i mov ecx , [ ebp −14h ] xor eax , 40 F0FC15h call eax pop esi ; eax = 009 F8F70 retn Principle Each call is dynamically computed: difficult to follow staticallyPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 35/98
  38. 38. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation In C, this means Determined conditional jumps ... i f ( s i n ( a ) == 42 ) { do dummy stuff ( ) ; } go on ( ) ; ...Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 36/98
  39. 39. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Techniques used Execution flow rerouting lea edx , [ e s p+4+v a r 4 ] Sometimes, the code raises add eax , 3D4D101h an exception push o f f s e t area push edx An error handler is called mov [ e s p+0Ch+v a r 4 ] , eax If it’s a fake error, the call RaiseException handler tweaks memory rol eax , 17 h xor eax , 350CA27h addresses and registers pop ecx =⇒ back to the calling code Principle Hard to understand the whole code: we have to stop the error handler and study its code.Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 37/98
  40. 40. Binary packing Skype protections Code integrity checks Skype seen from the network Anti debugging technics Advanced/diverted Skype functions Code obfuscation Bypassing this little problem Bypassing this little problem In some cases we were able to avoid the analysis We injected shellcodes to parasitize these functionsPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 38/98
  41. 41. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Outline 1 Context of the study 2 Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation 3 Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype 4 Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands 5 ConclusionPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 39/98
  42. 42. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Skype on UDP Skype UDP start of frame Begin with a Start of Frame layer compounded of a frame ID number (2 bytes) a type of payload (1 byte). Either : Obfuscated payload Ack / NAck packet payload forwarding packet payload resending packet few other stuffsPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 40/98
  43. 43. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Skype Network Obfuscation Layer 45 00 00 2e 00 04 40 00 40 11 eb 75 ac 10 48 83 IP 18 62 42 50 version 4L 08 03 20 53 00 1a 21 9c 7f 4e 02 ihl 5L 11 tos 0x0 8a c0 37 fc 95 75 5e 5e b9 81 7a 8e fa 81 len 46 id 4 flags DF frag 0L ttl 64 proto UDP chksum 0xeb75 src 172.16.72.131 dst 24.98.66.80 options ” UDP sport 2051 dport 8275 len 26 chksum 0x219c Skype SoF id 0x7f4e func 0x2 Skype Crypted Data iv 0x118AC037L crc32 0xFC95755EL crypted ’ˆxb9x81zx8exf[...]Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 41/98
  44. 44. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Skype Network Obfuscation Layer Source IP Destination IP ID x00x00 Data are encrypted with RC4 IV CRC32 The RC4 key is calculated with elements from the datagram seed public source and destination IP seed to RC4 key engine Skype’s packet ID Skype’s obfuscation layer’s IV RC4 key (80 bytes)Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 42/98
  45. 45. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Skype Network Obfuscation Layer The public IP Problem 1: how does Skype know the public IP ? 1 At the begining, it uses 0.0.0.0 2 Its peer won’t be able to decrypt the message (bad CRC) 3 =⇒ The peer sends a NAck with the public IP 4 Skype updates what it knows about its public IP accordingly 24 16 08 03 00 13 08 54 UDP 7f 4e 77 52 7c 48 33 83 sport 9238 b0 86 56 dport 2051 len 19 chksum 0x854 Skype SoF id 0x7f4e func 0x77 Skype NAck src 82.124.72.51 dst 131.176.134.86Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 43/98
  46. 46. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Skype Network Obfuscation Layer The seed to RC4 key engine Problem 2: What is the seed to RC4 key engine ? It is not an improvement of the flux capacitor It is a big fat obfuscated function It was designed to be the keystone of the network obfuscation RC4 key is 80 bytes, but there are at most 232 different keys It can be seen as an oracle We did not want to spend time on it =⇒ we parasitized it Note: RC4 is used for obfuscation not for privacyPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 44/98
  47. 47. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Skype Network Obfuscation Layer The seed to RC4 key engine Parasitizing the seed to RC4 key engine We injected a shellcode that 1 read requests on a UNIX socket 2 fed the requets to the oracle function 3 wrote the answers to the UNIX socketPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 45/98
  48. 48. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Skype Network Obfuscation Layer The seed to RC4 key engine v o i d main ( v o i d ) { u n s i g n e d c h a r key [ 8 0 ] ; v o i d (∗ o r a c l e ) ( u n s i g n e d c h a r ∗key , i n t s e e d ) ; i n t s , f l e n ; unsigned i n t i , j , k ; s t r u c t s o c k a d d r u n sa , from ; c h a r path [ ] = " / tmp / oracle " ; o r a c l e = ( v o i d ( ∗ ) ( ) ) 0 x0724c1e ; s a . s u n f a m i l y = AF UNIX ; f o r ( s = 0 ; s < s i z e o f ( path ) ; s++) s a . s u n p a t h [ s ] = path [ s ] ; s = s o c k e t ( PF UNIX , SOCK DGRAM, 0 ) ; u n l i n k ( path ) ; b i n d ( s , ( s t r u c t s o c k a d d r ∗)&sa , s i z e o f ( s a ) ) ; while (1) { f l e n = s i z e o f ( from ) ; r e c v f r o m ( s , &i , 4 , 0 , ( s t r u c t s o c k a d d r ∗)&from , &f l e n ) ; f o r ( j =0; j <0x14 ; j ++) ∗( u n s i g n e d i n t ∗ ) ( key+4∗ j ) = i ; o r a c l e ( key , i ) ; s e n d t o ( s , key , 8 0 , 0 , ( s t r u c t s o c k a d d r ∗)&from , f l e n ) ; } u n l i n k ( path ) ; c l o s e ( s ) ; e x i t ( 5 ) ; }Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 46/98
  49. 49. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Use of the shellcode $ shellforge.py -R oracle_shcode.c | tee oracle.bin | hexdump -C 00000000 55 89 e5 57 56 53 81 ec cc 01 00 00 e8 00 00 00 |U..WVS..........| 00000010 00 5b 81 c3 ef ff ff ff 8b 93 e5 01 00 00 8b 8b |.[..............| [...] 000001d0 fe ff ff 53 bb 0b 00 00 00 cd 80 5b e9 27 ff ff |...S.......[.’..| 000001e0 ff 2f 74 6d 70 2f 6f 72 61 63 6c 65 00 |./tmp/oracle.| $ siringe -f oracle.bin -p ‘pidof skype‘ $ ls -lF /tmp/oracle srwxr-xr-x 1 pbi pbi 0 2006-01-16 13:37 /tmp/oracle=Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 47/98
  50. 50. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Skype on TCP The seed is sent in the first 4 bytes of the stream The RC4 stream is used to decrypt the 10 following bytes that should be 00 01 00 00 00 01 00 00 00 01/03 the RC4 stream is reinitialised and used again for the remaining of the stream 0c 7c 49 7c 8b 26 fe 00 67 8b 91 c3 80 18 0b 68 TCP 51 14 00 00 01 01 08 0a 4c d8 77 45 00 00 00 00 sport 3196 dport 18812 33 fb af 76 28 ab b1 93 0a ff 6c df 55 b1 seq 2334588416L ack 1737200067L dataofs 8L reserved 0L flags PA window 2920 chksum 0x5114 urgptr 0 options [(’NOP’, None), (’[...] Skype init TCP packet seed 0x33FBAF76L init str ’(xabxb1x93nx[...]Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 48/98
  51. 51. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Outline 1 Context of the study 2 Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation 3 Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype 4 Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands 5 ConclusionPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 49/98
  52. 52. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Low level datagrams : the big picture Almost everything is ciphered Data can be fragmented Each command comes with its parameters in an object list The object list can be compressed Enc Cmd Encod Object list SoF Frag Compressed list Ack Forward Forwarded message NAckPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 50/98
  53. 53. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Object lists Object List List size Number An object can be a number, a string, an IP:port, or even another IP:port object list Each object has an ID List of numbers Skype knows which object String corresponds to which command’s parameter from its ID RSA keyPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 51/98
  54. 54. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Outline 1 Context of the study 2 Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation 3 Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype 4 Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands 5 ConclusionPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 52/98
  55. 55. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype For P in packets: zip P Packet compression Each packet can be compressed The algorithm used: arithmetic compression Zip would have been too easy © Principle Close to Huffman algorithm Reals are used instead of bitsPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 53/98
  56. 56. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Arithmetic compression Example [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B 0.625 C 1Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
  57. 57. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Arithmetic compression Example [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B 0.625 C 1Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
  58. 58. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Arithmetic compression Example [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B 0.625 C 1 APhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
  59. 59. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Arithmetic compression Example [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B 0.625 C 1 A CPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
  60. 60. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Arithmetic compression Example [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B 0.625 C 1 A C APhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
  61. 61. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Arithmetic compression Example [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B 0.625 C 1 A C APhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
  62. 62. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Arithmetic compression Example [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B 0.625 C 1 A C A Reals here encode ACABPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
  63. 63. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Outline 1 Context of the study 2 Skype protections Binary packing Code integrity checks Anti debugging technics Code obfuscation 3 Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype 4 Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands 5 ConclusionPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 55/98
  64. 64. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype How to speak Skype Skypy, the Scapy add-on We developed an add-on to Scapy from the “binary specifications” It uses the Oracle Revelator shellcode and a TCP←→UNIX relay to de-obfuscate datagrams It can reassemble and decode obfuscated TCP streams It can assemble Skype packets and speak SkypePhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 56/98
  65. 65. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Example: a Skype startup >>> a=rdpcap("../cap/skype up.cap") >>> a[:20].nsummary() 172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req 172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid 130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend 85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend 130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re 172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re 172.16.72.131:3196 > 85.89.168.113:18812 S 172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck 172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype ResendPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 57/98
  66. 66. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Example: a Skype startup >>> a=rdpcap("../cap/skype up.cap") >>> a[:20].nsummary() 172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req 172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid 130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend 85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend 130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re 172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re 172.16.72.131:3196 > 85.89.168.113:18812 S 172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck 172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype ResendPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 57/98
  67. 67. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Example: a Skype startup >>> a=rdpcap("../cap/skype up.cap") >>> a[:20].nsummary() 172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req 172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid 130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend 85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend 130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re 172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re 172.16.72.131:3196 > 85.89.168.113:18812 S 172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck 172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype ResendPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 57/98
  68. 68. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Example: a Skype startup >>> a=rdpcap("../cap/skype up.cap") >>> a[:20].nsummary() 172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req 172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid 130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend 85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend 130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re 172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re 172.16.72.131:3196 > 85.89.168.113:18812 S 172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck 172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype ResendPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 57/98
  69. 69. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Example: a Skype startup >>> a=rdpcap("../cap/skype up.cap") >>> a[:20].nsummary() 172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req 172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid 130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend 85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend 130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re 172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re 172.16.72.131:3196 > 85.89.168.113:18812 S 172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck 172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype ResendPhilippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 57/98
  70. 70. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Example: a Skype startup >>> a[0] < Ether dst=00:24:13:21:54:11 src=00:12:39:94:2a:ca type=0x800 |< IP version=4L ihl=5L tos=0x0 len=46 id=0 flags=DF frag=0L ttl=64 proto=UDP chksum=0xa513 src=172.16.72.131 dst=212.70.204.209 options=’’ |< UDP sport=2051 dport=23410 len=26 chksum=0x9316 |< Skype SoF id=0x7f46 func=0x2 |< Skype Enc iv=0x93763FBL crc32=0xF28624E6L crypted=’x9ax83)x08Kxc6xa8’ |< Skype Cmd cmdlen=4L is b0=0L is req=1L is b2=0L cmd=27L reqid=32581 val=< Skype Encod encod=0x42 |< Skype Compressed val=[] |>> |>>>>>>Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 58/98
  71. 71. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Example: a Skype startup >>> a[6][UDP].psdump(layer_shift=0.5) 08 03 24 16 00 1f 13 cf UDP 7f 48 63 01 83 b0 86 56 sport 2051 82 a1 2c 75 f1 02 f0 88 fe 65 13 2c e1 97 ac dport 9238 len 31 chksum 0x13cf Skype SoF id 0x7f48 func 0x63 Skype Resend adet 0x1 dst 131.176.134.86 src 130.161.44.117 crc 0xF102F088L reencrypted ’xfeex13,xe1x9[...]Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 59/98
  72. 72. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Connection Request a connection to 67.172.146.158:4344 >>> sr1(IP(dst="67.172.146.158")/UDP(sport=31337,dport=4344)/Skype SoF( id=RandShort())/Skype Enc()/Skype Cmd(cmd=27, reqid=RandShort(), val=Skype Encod(encod=0x41)/Skype Objects Set(objnb=0))) Begin emission: Finished to send 1 packets. * Received 1 packets, got 1 answers, remaining 0 packets < IP version=4L ihl=5L tos=0x0 len=46 id=48125 flags= frag=0L ttl=107 proto=UDP chksum=0x265 src=67.172.146.158 dst=172.16.15.2 options=’’ | < UDP sport=4344 dport=31337 len=26 chksum=0xa04d |< Skype SoF id=0x2f13 func=0x2 | < Skype Enc iv=0x8B3EBE25L crc32=0xAB015175L crypted=’%xdahxe3Pxddx94’ |< Skype Cmd cmdlen=4L is b0=1L is req=1L is b2=0L cmd=28L reqid=54822 val=< Skype Encod encod=0x42 | < Skype Compressed val=[] |>> |>>>>>Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 60/98
  73. 73. Skype network obfuscation Skype protections Low level data transport Skype seen from the network Thought it was over? Advanced/diverted Skype functions How to speak Skype Connection Ask for other nodes’ IP >>> sr1(IP(dst="67.172.146.158")/UDP(sport=31337,dport=4344)/Skype_SoF( id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=6, reqid=RandShort(), val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=2) /Skype_Obj_Num(id=0,val=201)/Skype_Obj_Num(id=5,val=100))) < IP version=4L ihl=5L tos=0x0 len=110 id=56312 flags= frag=0L ttl=107 proto=UDP chksum=0xe229 src=67.172.146.158 dst=172.16.15.2 options=’’ | < UDP sport=4344 dport=31337 len=90 chksum=0x485d |< Skype SoF id=0x3c66 func=0x2 | < Skype Enc iv=0x31EB8C94L crc32=0x75012AAFL crypted=’"xf5x01~xd1xb0(xa8x03xd1xd9x8d6x97xd6x9exc0x04< x99xf0x0cx14x1dxd6‘xe2xdcxc0xc3x8dxb4Bxa4x9fxd5xbcKx96 xccBxaax17eBt8EA,Kxc2xabx04x11xf2x1fRx93lp.Ix96Hxd4=:x06y xfb’ |< Skype Cmd cmdlen=69L is b0=1L is req=1L is b2=0L cmd=8L reqid=45233 val=< Skype Encod encod=0x42 |< Skype Compressed val=[[0, 201L], [2, < Skype INET ip=140.113.228.225 port=57709 |>], [2, < Skype INET ip=128.239.123.151 port=40793 |>], [2, < Skype INET ip=82.6.134.18 port=48184 |>], [2, < Skype INET ip=134.34.70.155 port=43794 |>], [2, < Skype INET ip=83.169.167.160 port=33208 |>], [2, < Skype INET ip=201.235.61.125 port=62083 |>], [2, < Skype INET ip=140.118.101.109 port=1528 |>], [2, < Skype INET ip=213.73.140.197 port=28072 |>], [2, < Skype INET ip=70.246.101.138 port=29669 |>], [0, 9L], [5, None]] |>> |>>>>>Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 61/98
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×