The document discusses protections and obfuscation techniques used in the Skype software, including binary packing, code integrity checks, anti-debugging methods, and code obfuscation. It notes that these protections make analysis of Skype's behavior and traffic difficult. The document outlines methods researchers used to unpack and analyze Skype, such as building an unpacker to reconstruct the binary and using a twin processes debugging technique to handle Skype's code integrity checks. The overall goal was to better understand Skype's protections and how it functions in order to address security concerns about its use.
The time is now! An MACPA task force supports creation of private company standards board, says GAAP exceptions and modifications are essential.
This whitepaper was unanimously approved and adopted by the Board of Directors of the Maryland Association of CPAs on June 2, 2011.
After three months of study and debate, the MACPA task force concluded that the needs of private companies or nonpublic entites have not been considered by FASB in their standard setiing activities resulting in overly complex and costly standards that do not benefit the users of those financial statements.
This whitepaper present the research, analysis, and recommendations of the MACPA Task Force.
The time is now! An MACPA task force supports creation of private company standards board, says GAAP exceptions and modifications are essential.
This whitepaper was unanimously approved and adopted by the Board of Directors of the Maryland Association of CPAs on June 2, 2011.
After three months of study and debate, the MACPA task force concluded that the needs of private companies or nonpublic entites have not been considered by FASB in their standard setiing activities resulting in overly complex and costly standards that do not benefit the users of those financial statements.
This whitepaper present the research, analysis, and recommendations of the MACPA Task Force.
This group of dyslexia superstars are testaments to hard work and perseverance. Any young person struggling with the disorder can take from their example that they have every potential to become whoever and whatever they want to be. They provide kids with dyslexia everywhere with an example to tell them that they are not alone and they can also become a superstar.
Melbourne Infracoders: Compliance as Code with InSpecMatt Ray
Presentation to the Melbourne Infrastructure Coders Meetup November 8, 2016. Overview of InSpec (https://inspec.io) and the idea of "Compliance as Code"
http://www.meetup.com/Infrastructure-Coders/events/233990769/
Types of Learning Disabilities - ACE ClinicsBob Gottfried
ACE Clinics has been treating ADD, ADHD, Learning Disorders, and Memory Loss for over 15 years and has successfully treated thousands of individuals, both children and adults.
La revolution digitale dans le BtoB par jeremy dumont pour R9nous sommes vivants
Les clients sont connectés "anywhere, anytime, anyhow", ils achètent de manière différente ce qui induit un challenge dans la relation fournisseurs et les réseaux de distribution : le marketing doit donc s'adapter avec de nouveaux outils et moyens de communication.
Il ne s'agit pas de faire un catalogue et se différencier avec des outils marketing "digitaux" mais savoir adapter son plan avec ses outils en choisissant lesquels répondront le mieux à son marché en fonction de son budget.
Vous découvrirez dans ce slideshare des exemples concrets d'utilisation du digital en B2B
Un vrai support pour préparer son plan 2015 !
Photo : christophe beauregard
Halloween offers Realtors® a unique opportunity to tap into community foot traffic. Marketing on Halloween can gain much-needed exposure for your real estate business. Halloween can create more exposure in 24 hours than you’ll get on any other day of the year because a majority of your community will be out walking the streets on this one day.
Check out our blog for ten tips to build a sound marketing strategy and take advantage of this spooky holiday!
http://www.z57.com/marketing-on-halloween/
Embedded User Assistance: Third Rail or Third Way?Steven Jong
It’s challenging to provide technical documentation in an environment where people say “nobody reads the manual” (or even “nobody looks at the help”) and instead demand “intuitive interfaces.” Smartphones are now the most common web browser, and we face an audience with little patience for reading; we feel squeezed out of existence. But there’s an opportunity for us to go from a supporting, or even superfluous, role to center stage: by providing embedded user assistance.
Steve describes and gives examples of embedded assistance, shows how it’s being used today, discuses the challenges of working close to or even inside the code, and relates the effects of participating throughout the design process (as in an Agile environment) as well as working with UX designers (or becoming one yourself).
Presentation given at STC New England InterChange Conference, 2 April 2016, Lowell, Massachusetts USA.
Skype proclaims that it provides a secure method of communication. Hundreds of millions of people have chosen to use Skype, often on the basis of this assurance.
This presentation discusses some security risk and vulnerabilities of Skype.
Using Hard Disk Encryption and Novell SecureLoginNovell
Laptop theft is one of the most common crimes in industrial countries. Therefore, the demand for laptop security and the need to protect confidential data on hard disks is increasing. Several products on the market address this issue by offering hard disk encryption combined with login security. This session will show how these solutions can be integrated into a Novell environment.
A typical scenario might look like the following: The digital certificates used for encryption are generated in Novell eDirectory; the certificates are used with smartcards, which are also managed in eDirectory. The configuration of the hard disk encryption solution is deployed to clients with Novell ZENworks (no user interaction is necessary during installation and configuration). The hard disk encryption registration is combined with Novell SecureLogin, which results in a single sign-on.
This session will describe in detail what the configuration of hard disk encryption in such a scenario looks like, and will feature a live demonstration. The presenters are independent consultants with no interest in marketing a particular hard disk encryption solution.
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments.
Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss:
How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.)
The risks of unmanaged or untracked certificates in DevOps environments
Best practices to support visibility, compliance and automation of certificates in CI/CD
This group of dyslexia superstars are testaments to hard work and perseverance. Any young person struggling with the disorder can take from their example that they have every potential to become whoever and whatever they want to be. They provide kids with dyslexia everywhere with an example to tell them that they are not alone and they can also become a superstar.
Melbourne Infracoders: Compliance as Code with InSpecMatt Ray
Presentation to the Melbourne Infrastructure Coders Meetup November 8, 2016. Overview of InSpec (https://inspec.io) and the idea of "Compliance as Code"
http://www.meetup.com/Infrastructure-Coders/events/233990769/
Types of Learning Disabilities - ACE ClinicsBob Gottfried
ACE Clinics has been treating ADD, ADHD, Learning Disorders, and Memory Loss for over 15 years and has successfully treated thousands of individuals, both children and adults.
La revolution digitale dans le BtoB par jeremy dumont pour R9nous sommes vivants
Les clients sont connectés "anywhere, anytime, anyhow", ils achètent de manière différente ce qui induit un challenge dans la relation fournisseurs et les réseaux de distribution : le marketing doit donc s'adapter avec de nouveaux outils et moyens de communication.
Il ne s'agit pas de faire un catalogue et se différencier avec des outils marketing "digitaux" mais savoir adapter son plan avec ses outils en choisissant lesquels répondront le mieux à son marché en fonction de son budget.
Vous découvrirez dans ce slideshare des exemples concrets d'utilisation du digital en B2B
Un vrai support pour préparer son plan 2015 !
Photo : christophe beauregard
Halloween offers Realtors® a unique opportunity to tap into community foot traffic. Marketing on Halloween can gain much-needed exposure for your real estate business. Halloween can create more exposure in 24 hours than you’ll get on any other day of the year because a majority of your community will be out walking the streets on this one day.
Check out our blog for ten tips to build a sound marketing strategy and take advantage of this spooky holiday!
http://www.z57.com/marketing-on-halloween/
Embedded User Assistance: Third Rail or Third Way?Steven Jong
It’s challenging to provide technical documentation in an environment where people say “nobody reads the manual” (or even “nobody looks at the help”) and instead demand “intuitive interfaces.” Smartphones are now the most common web browser, and we face an audience with little patience for reading; we feel squeezed out of existence. But there’s an opportunity for us to go from a supporting, or even superfluous, role to center stage: by providing embedded user assistance.
Steve describes and gives examples of embedded assistance, shows how it’s being used today, discuses the challenges of working close to or even inside the code, and relates the effects of participating throughout the design process (as in an Agile environment) as well as working with UX designers (or becoming one yourself).
Presentation given at STC New England InterChange Conference, 2 April 2016, Lowell, Massachusetts USA.
Skype proclaims that it provides a secure method of communication. Hundreds of millions of people have chosen to use Skype, often on the basis of this assurance.
This presentation discusses some security risk and vulnerabilities of Skype.
Using Hard Disk Encryption and Novell SecureLoginNovell
Laptop theft is one of the most common crimes in industrial countries. Therefore, the demand for laptop security and the need to protect confidential data on hard disks is increasing. Several products on the market address this issue by offering hard disk encryption combined with login security. This session will show how these solutions can be integrated into a Novell environment.
A typical scenario might look like the following: The digital certificates used for encryption are generated in Novell eDirectory; the certificates are used with smartcards, which are also managed in eDirectory. The configuration of the hard disk encryption solution is deployed to clients with Novell ZENworks (no user interaction is necessary during installation and configuration). The hard disk encryption registration is combined with Novell SecureLogin, which results in a single sign-on.
This session will describe in detail what the configuration of hard disk encryption in such a scenario looks like, and will feature a live demonstration. The presenters are independent consultants with no interest in marketing a particular hard disk encryption solution.
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments.
Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss:
How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.)
The risks of unmanaged or untracked certificates in DevOps environments
Best practices to support visibility, compliance and automation of certificates in CI/CD
ESET sur la cybersécurité. ESET over cybersecurity.
Dans ce slideshow, ESET présente ses produits pour protéger votre organisation au mieux. L'entreprise européenne renommée aborde également des notions comme la double authentification ou la gestion de mots de passe.
In deze slideshow stelt ESET zijn producten voor om uw organisatie optimaal te beschermen. Het gerenommeerde Europese bedrijf bespreekt ook concepten als dubbele authenticatie en wachtwoordbeheer.
Consultez également notre chaîne YouTube pour retrouver les sessions enregistrées avec ce slideshow. Zie ook ons YouTube-kanaal voor opgenomen sessies met deze slideshow.
YouTube SOCIALware: https://www.youtube.com/channel/UCBGL9kTljcXZcP7iuIAC6Hw
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Free Complete Python - A step towards Data Science
Silver needle in Skype
1. Skype protections
Skype seen from the network
Advanced/diverted Skype functions
Silver Needle in the Skype
Philippe BIONDI Fabrice DESCLAUX
phil(at)secdev.org / philippe.biondi(at)eads.net
serpilliere(at)rstack.org / fabrice.desclaux(at)eads.net
EADS Corporate Research Center — DCR/STI/C
IT sec Lab
Suresnes, FRANCE
BlackHat Europe, March 2nd and 3rd , 2006
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 1/98
2. Skype protections
Skype seen from the network
Advanced/diverted Skype functions
Outline
1 Context of the study
2 Skype protections
Binary packing
Code integrity checks
Anti debugging technics
Code obfuscation
3 Skype seen from the network
Skype network obfuscation
Low level data transport
Thought it was over?
How to speak Skype
4 Advanced/diverted Skype functions
Analysis of the login phase
Playing with Skype Traffic
Nice commands
5 Conclusion
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 2/98
3. Skype protections
Skype seen from the network
Advanced/diverted Skype functions
Problems with Skype
The network view
From a network security administrator point of view
Almost everything is obfuscated (looks like /dev/random)
Peer to peer architecture
many peers
no clear identification of the destination peer
Automatically reuse proxy credentials
Traffic even when the software is not used (pings, relaying)
=⇒ Impossibility to distinguish normal behaviour from information
exfiltration (encrypted traffic on strange ports, night activity)
=⇒ Jams the signs of real information exfiltration
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 3/98
4. Skype protections
Skype seen from the network
Advanced/diverted Skype functions
Problems with Skype
The system view
From a system security administrator point of view
Many protections
Many antidebugging tricks
Much ciphered code
A product that works well for free (beer) ?! From a company
not involved on Open Source ?!
=⇒ Is there something to hide ?
=⇒ Impossible to scan for trojan/backdoor/malware inclusion
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 4/98
5. Skype protections
Skype seen from the network
Advanced/diverted Skype functions
Problems with Skype
Some legitimate questions
The Chief Security Officer point of view
Is Skype a backdoor ?
Can I distinguish Skype’s traffic from real data exfiltration ?
Can I block Skype’s traffic ?
Is Skype a risky program for my sensitive business ?
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 5/98
6. Skype protections
Skype seen from the network
Advanced/diverted Skype functions
Problems with Skype
Idea of usage inside companies ?
At least 700k regularly used only on working days.
6e+06
5.5e+06
5e+06
4.5e+06
connected
4e+06
3.5e+06
3e+06
2.5e+06
2e+06
0 500 1000 1500 2000 2500
time
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 6/98
7. Skype protections
Skype seen from the network
Advanced/diverted Skype functions
Problems with Skype
Context of our study
Our point of view
We need to interoperate Skype protocol with our firewalls
We need to check for the presence/absence of backdoors
We need to check the security problems induced by the use of
Skype in a sensitive environment
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 7/98
8. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Outline
1 Context of the study
2 Skype protections
Binary packing
Code integrity checks
Anti debugging technics
Code obfuscation
3 Skype seen from the network
Skype network obfuscation
Low level data transport
Thought it was over?
How to speak Skype
4 Advanced/diverted Skype functions
Analysis of the login phase
Playing with Skype Traffic
Nice commands
5 Conclusion
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 8/98
9. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Encryption
Avoiding static disassembly
Some parts of the binary are xored by a hard-coded key
In memory, Skype is fully decrypted
Skype Binary
Decryption Procedure:
Each encrypted part
of the binary will be
decrypted at run time.
Clear part
Encrypted part
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 9/98
10. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Structure overwriting
Anti-dumping tricks
1 The program erases the beginning of the code
2 The program deciphers encrypted areas
3 Skype import table is loaded, erasing part of the original
import table
Code Erased code Erased code Erased code
Transition code Transition code Transition code Transition code
Ciphered Ciphered Deciphered Deciphered
code code code code
Original Original Original Original
import table import table import table import table
Skype
import table
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 10/98
11. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Unpacking
Binary reconstruction
Skype seems to have its own packer. We need an unpacker to
build a clean binary
1 Read internal area descriptors
2 Decipher each area using keys stored in the binary
3 Read all custom import table
4 Rebuild new import table with common one plus custom one
in another section
5 Patch to avoid auto decryption
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 11/98
12. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Unpacking
Erased code Erased code
Transition code Modified
Transition code
Deciphered Deciphered
code code
Original Old original
import table import table
Skype Old Skype
import table import table
New full
import
table
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 12/98
13. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Some statistics
Ciphered vs clear code
Legend: Code Data Unreferenced code
Ciphered vs clear code
Libraries used in hidden imports
KERNEL32.dll
674 classic imports WINMM.dll
169 hidden imports WS2 32.dll
RPCRT4.dll
...
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 13/98
14. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Outline
1 Context of the study
2 Skype protections
Binary packing
Code integrity checks
Anti debugging technics
Code obfuscation
3 Skype seen from the network
Skype network obfuscation
Low level data transport
Thought it was over?
How to speak Skype
4 Advanced/diverted Skype functions
Analysis of the login phase
Playing with Skype Traffic
Nice commands
5 Conclusion
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 14/98
15. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Checksumers scheme in Skype
Checksumers scheme
Checker 1 Checker’ 1
Checker 2 Checker’ 2
Code
Checker .. Checker’ ...
Checker N Checker’ N
Main scheme of Skype code checkers
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 15/98
16. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
start :
xor edi , edi
add e d i , Ox688E5C
mov eax , Ox320E83
xor eax , Ox1C4C4
mov ebx , eax
add ebx , OxFFCC5AFD
loop start :
mov ecx , [ e d i+Ox10 ]
jmp lbl1
db Ox19
lbl1 :
sub eax , e c x
sub edi , 1
dec ebx
jnz loop start
jmp lbl2
db Ox73
lbl2 :
jmp lbl3
dd OxC8528417 , OxD8FBBD1 , OxA36CFB2F , OxE8D6E4B7 , OxC0B8797A
db Ox61 , OxBD
lbl3 :
sub eax , Ox4C49F346
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 16/98
17. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Semi polymorphic checksumers
Interesting characteristics
Each checksumer is a bit different: they seem to be
polymorphic
They are executed randomly
The pointers initialization is obfuscated with computations
The loop steps have different values/signs
Checksum operator is randomized (add, xor, sub, ...)
Checksumer length is random
Dummy mnemonics are inserted
Final test is not trivial: it can use final checksum to compute
a pointer for next code part.
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 17/98
18. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Semi polymorphic checksumers
But...
They are composed of
A pointer initialization
A loop
A lookup
A test/computation
We can build a script that spots such code
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 18/98
19. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Global checksumer scheme
Each rectangle represents a checksumer
An arrow represents the link
checker/checked
In fact, there were nearly 300 checksums
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 19/98
20. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
How to get the computed value
Solution 1
Put a breakpoint on each checksumer
Collect all the computed values during a run of the program
J Software breakpoints change the checksums
² We only have 4 hardware breakpoints
=⇒ Twin processes debugging
Solution 2
Emulate the code
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 20/98
21. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Twin processes debugging
1 Put software breakpoints on every checksumers of one process
2 Run it until it reaches a breakpoint
3 Put 2 hardware breakpoints before and after the checksumer
of the twin process
4 Use the twin process to compute the checksum value
5 Write it down
6 Report it into the first process and jump the checksumer
7 Go to point 2
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 21/98
22. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Twin processes debugging
Process 1 Soft Hard Process 2
Twin
Debugger
PC
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 22/98
23. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Twin processes debugging
Process 1 Soft Hard Process 2
Twin
Debugger
PC
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 22/98
24. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Twin processes debugging
Process 1 Soft Hard Process 2
Twin
Debugger
PC
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 22/98
25. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Twin processes debugging
Twin processes debugger using PytStop [PytStop]
import pytstop
checksumers = { s t a r t : stop , ... }
p = p y t s t o p . s t r a c e ( " / usr / bin / skype " )
q = p y t s t o p . s t r a c e ( " / usr / bin / skype " )
f o r bp i n checksumer . k e y s ( ) :
p . s e t b p ( bp )
while 1:
p . cont ( )
hbp = q . s e t h b p ( c h e c k s u m e r s [ p . e i p ] )
q . cont ( )
q . d e l h b p ( hbp )
p r i n t " Checksumer at %08 x set eax =%08 x " % ( p . e i p , q . eax )
p . eax = q . eax
p . eip = q . eip
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 23/98
27. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
start : start :
xor edi , edi xor edi , edi
add e d i , Ox688E5C add e d i , Ox688E5C
mov eax , Ox320E83 mov eax , Ox320E83
xor eax , Ox1C4C4 xor eax , Ox1C4C4
mov ebx , eax mov ebx , eax
add ebx , OxFFCC5AFD add ebx , OxFFCC5AFD
loop start : loop start :
mov ecx , [ e d i+Ox10 ] mov ecx , [ e d i+Ox10 ]
jmp lbl1 jmp lbl1
db Ox19 db Ox19
lbl1 : lbl1 :
sub eax , e c x mov eax , Ox4C49F311
sub edi , 1 nop
dec ebx [ ... ]
jnz loop start nop
jmp lbl2 jmp lbl2
db Ox73 db Ox73
lbl2 : lbl2 :
jmp lbl3 jmp lbl3
dd OxC8528417 , OxD8FBB [ . . . ] dd OxC8528417 , OxD8FBB [ . . . ]
db Ox61 , OxBD db Ox61 , OxBD
lbl3 : lbl3 :
sub eax , Ox4C49F346 sub eax , Ox4C49F346
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 25/98
28. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Last but not least
Signature based integrity-check
There is a final check: Integrity check based on RSA signature
Moduli stored in the binary
lea eax , [ ebp+v a r C ]
mov edx , o f f s e t " 65537 "
call str to bignum
lea eax , [ ebp+v a r 1 0 ]
mov edx , o f f s e t " 3 8 1 3 3 5 9 3 1 3 6 0 3 7 6 7 7 5 4 2 3 0 6 4 3 4 2 9 8 9 3 6 7 5 1 1 ... "
call str to bignum
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 26/98
29. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Outline
1 Context of the study
2 Skype protections
Binary packing
Code integrity checks
Anti debugging technics
Code obfuscation
3 Skype seen from the network
Skype network obfuscation
Low level data transport
Thought it was over?
How to speak Skype
4 Advanced/diverted Skype functions
Analysis of the login phase
Playing with Skype Traffic
Nice commands
5 Conclusion
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 27/98
30. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Counter measures against dynamic attack
Counter measures against dynamic attack
Skype has some protections against debuggers
Anti Softice: It tries to load its driver. If it works, Softice is
loaded.
Generic anti-debugger: The checksums spot software
breakpoints as they change the integrity of the binary
Counter counter measures
The Rasta Ring 0 Debugger [RR0D] is not
detected by Skype
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 28/98
31. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Binary protection: Anti debuggers
The easy one: First Softice test
mov eax , o f f s e t s t r S i w v i d ; " . Siwvid "
call test driver
t e s t al , a l
Hidden test: It checks whether Softice is in the Driver list
c a l l EnumDeviceDrivers
...
c a l l GetDeviceDriverBaseNameA
...
cmp eax , ’ ntic ’
jnz next
cmp ebx , ’ e.sy ’
jnz next
cmp ecx , ’s x00 x00 x00 ’
jnz next
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 29/98
32. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Binary protection: Anti debuggers
Anti-anti Softice
IceExt is an extension to Softice
cmp e s i , ’ icee ’
jnz short next
cmp e d i , ’ xt.s ’
jnz short next
cmp eax , ’ ys x00 x00 ’
jnz short next
Timing measures
Skype does timing measures in order to check if the process is
debugged or not
call gettickcount
mov g e t t i c k c o u n t r e s u l t , eax
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 30/98
33. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Binary protection: Anti debuggers
Counter measures
When it detects an attack, it traps the debugger :
registers are randomized
a random page is jumped into
It’s is difficult to trace back the detection because there is no
more stack frame, no EIP, ...
pushf
pusha
mov save esp , esp
mov esp , ad alloc?
add esp , random value
sub esp , 20 h
popa
jmp random mapped page
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 31/98
34. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Binary protection: Anti debuggers
Solution
The random memory page is allocated with special
characteristics
So breakpoint on malloc(), filtered with those properties in
order to spot the creation of this page
We then spot the pointer that stores this page location
We can then put an hardware breakpoint to monitor it, and
break in the detection code
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 32/98
35. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Outline
1 Context of the study
2 Skype protections
Binary packing
Code integrity checks
Anti debugging technics
Code obfuscation
3 Skype seen from the network
Skype network obfuscation
Low level data transport
Thought it was over?
How to speak Skype
4 Advanced/diverted Skype functions
Analysis of the login phase
Playing with Skype Traffic
Nice commands
5 Conclusion
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 33/98
36. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Protection of sensitive code
Code obfuscation
The goal is to protect code from being reverse engineered
Principle used here: mess the code as much as possible
Advantages
Slows down code study
Avoids direct code stealing
Drawbacks
Slows down the application
Grows software size
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 34/98
37. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Techniques used
Code indirection calls
sub 9F8F70 :
mov eax , 9FFB40h
mov eax , [ e c x +34h ]
sub eax , 7 F80h
push esi
mov edx , 7799 C1Fh
mov e s i , [ e c x +44h ]
mov ecx , [ ebp −14h ]
sub eax , 292 C1156h
call eax ; s u b _ 9 F 7 B C 0
add e s i , eax
neg eax
mov eax , 371509EBh
add eax , 19 C87A36h
sub eax , edx
mov edx , 0CCDACEF0h
mov [ e c x +44h ] , e s i
mov ecx , [ ebp −14h ]
xor eax , 40 F0FC15h
call eax
pop esi
; eax = 009 F8F70
retn
Principle
Each call is dynamically computed: difficult to follow statically
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 35/98
38. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
In C, this means
Determined conditional jumps
...
i f ( s i n ( a ) == 42 ) {
do dummy stuff ( ) ;
}
go on ( ) ;
...
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 36/98
39. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Techniques used
Execution flow rerouting
lea
edx , [ e s p+4+v a r 4 ] Sometimes, the code raises
add eax , 3D4D101h an exception
push o f f s e t area
push edx An error handler is called
mov
[ e s p+0Ch+v a r 4 ] , eax
If it’s a fake error, the
call RaiseException handler tweaks memory
rol eax , 17 h
xor eax , 350CA27h
addresses and registers
pop ecx =⇒ back to the calling code
Principle
Hard to understand the whole code: we have to stop the error
handler and study its code.
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 37/98
40. Binary packing
Skype protections
Code integrity checks
Skype seen from the network
Anti debugging technics
Advanced/diverted Skype functions
Code obfuscation
Bypassing this little problem
Bypassing this little problem
In some cases we were able to avoid the analysis
We injected shellcodes to parasitize these functions
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 38/98
41. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Outline
1 Context of the study
2 Skype protections
Binary packing
Code integrity checks
Anti debugging technics
Code obfuscation
3 Skype seen from the network
Skype network obfuscation
Low level data transport
Thought it was over?
How to speak Skype
4 Advanced/diverted Skype functions
Analysis of the login phase
Playing with Skype Traffic
Nice commands
5 Conclusion
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 39/98
42. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Skype on UDP
Skype UDP start of frame
Begin with a Start of Frame layer compounded of
a frame ID number (2 bytes)
a type of payload (1 byte). Either :
Obfuscated payload
Ack / NAck packet
payload forwarding packet
payload resending packet
few other stuffs
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 40/98
43. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Skype Network Obfuscation Layer
45 00 00 2e 00 04 40 00 40 11 eb 75 ac 10 48 83
IP
18 62 42 50
version 4L 08 03 20 53 00 1a 21 9c
7f 4e 02
ihl 5L 11
tos 0x0 8a c0 37 fc 95 75 5e 5e b9 81 7a 8e fa 81
len 46
id 4
flags DF
frag 0L
ttl 64
proto UDP
chksum 0xeb75
src 172.16.72.131
dst 24.98.66.80
options ”
UDP
sport 2051
dport 8275
len 26
chksum 0x219c
Skype SoF
id 0x7f4e
func 0x2
Skype Crypted Data
iv 0x118AC037L
crc32 0xFC95755EL
crypted ’ˆxb9x81zx8exf[...]
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 41/98
44. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Skype Network Obfuscation Layer
Source IP Destination IP ID x00x00
Data are encrypted with
RC4 IV
CRC32
The RC4 key is calculated
with elements from the
datagram
seed
public source and
destination IP
seed to RC4 key engine
Skype’s packet ID
Skype’s obfuscation
layer’s IV RC4 key (80 bytes)
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 42/98
45. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Skype Network Obfuscation Layer
The public IP
Problem 1: how does Skype know the public IP ?
1 At the begining, it uses 0.0.0.0
2 Its peer won’t be able to decrypt the message (bad CRC)
3 =⇒ The peer sends a NAck with the public IP
4 Skype updates what it knows about its public IP accordingly
24 16 08 03 00 13 08 54
UDP 7f 4e 77
52 7c 48 33 83
sport 9238
b0 86 56
dport 2051
len 19
chksum 0x854
Skype SoF
id 0x7f4e
func 0x77
Skype NAck
src 82.124.72.51
dst 131.176.134.86
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 43/98
46. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Skype Network Obfuscation Layer
The seed to RC4 key engine
Problem 2: What is the seed to RC4 key engine ?
It is not an improvement of the flux capacitor
It is a big fat obfuscated function
It was designed to be the keystone of the network obfuscation
RC4 key is 80 bytes, but there are at most 232 different keys
It can be seen as an oracle
We did not want to spend time on it
=⇒ we parasitized it
Note:
RC4 is used for obfuscation not for privacy
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 44/98
47. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Skype Network Obfuscation Layer
The seed to RC4 key engine
Parasitizing the seed to RC4 key engine
We injected a shellcode that
1 read requests on a UNIX socket
2 fed the requets to the oracle function
3 wrote the answers to the UNIX socket
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 45/98
48. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Skype Network Obfuscation Layer
The seed to RC4 key engine
v o i d main ( v o i d )
{
u n s i g n e d c h a r key [ 8 0 ] ;
v o i d (∗ o r a c l e ) ( u n s i g n e d c h a r ∗key , i n t s e e d ) ;
i n t s , f l e n ; unsigned i n t i , j , k ;
s t r u c t s o c k a d d r u n sa , from ; c h a r path [ ] = " / tmp / oracle " ;
o r a c l e = ( v o i d ( ∗ ) ( ) ) 0 x0724c1e ;
s a . s u n f a m i l y = AF UNIX ;
f o r ( s = 0 ; s < s i z e o f ( path ) ; s++)
s a . s u n p a t h [ s ] = path [ s ] ;
s = s o c k e t ( PF UNIX , SOCK DGRAM, 0 ) ; u n l i n k ( path ) ;
b i n d ( s , ( s t r u c t s o c k a d d r ∗)&sa , s i z e o f ( s a ) ) ;
while (1) {
f l e n = s i z e o f ( from ) ;
r e c v f r o m ( s , &i , 4 , 0 , ( s t r u c t s o c k a d d r ∗)&from , &f l e n ) ;
f o r ( j =0; j <0x14 ; j ++)
∗( u n s i g n e d i n t ∗ ) ( key+4∗ j ) = i ;
o r a c l e ( key , i ) ;
s e n d t o ( s , key , 8 0 , 0 , ( s t r u c t s o c k a d d r ∗)&from , f l e n ) ;
}
u n l i n k ( path ) ; c l o s e ( s ) ; e x i t ( 5 ) ;
}
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 46/98
49. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Use of the shellcode
$ shellforge.py -R oracle_shcode.c | tee oracle.bin | hexdump -C
00000000 55 89 e5 57 56 53 81 ec cc 01 00 00 e8 00 00 00 |U..WVS..........|
00000010 00 5b 81 c3 ef ff ff ff 8b 93 e5 01 00 00 8b 8b |.[..............|
[...]
000001d0 fe ff ff 53 bb 0b 00 00 00 cd 80 5b e9 27 ff ff |...S.......[.’..|
000001e0 ff 2f 74 6d 70 2f 6f 72 61 63 6c 65 00 |./tmp/oracle.|
$ siringe -f oracle.bin -p ‘pidof skype‘
$ ls -lF /tmp/oracle
srwxr-xr-x 1 pbi pbi 0 2006-01-16 13:37 /tmp/oracle=
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 47/98
50. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Skype on TCP
The seed is sent in the first 4 bytes of the stream
The RC4 stream is used to decrypt the 10 following bytes
that should be 00 01 00 00 00 01 00 00 00 01/03
the RC4 stream is reinitialised and used again for the
remaining of the stream
0c 7c 49 7c 8b 26 fe 00 67 8b 91 c3 80 18 0b 68
TCP
51 14 00 00 01 01 08 0a 4c d8 77 45 00 00 00 00
sport 3196
dport 18812 33 fb af 76 28 ab b1 93 0a ff 6c df 55 b1
seq 2334588416L
ack 1737200067L
dataofs 8L
reserved 0L
flags PA
window 2920
chksum 0x5114
urgptr 0
options [(’NOP’, None), (’[...]
Skype init TCP packet
seed 0x33FBAF76L
init str ’(xabxb1x93nx[...]
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 48/98
51. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Outline
1 Context of the study
2 Skype protections
Binary packing
Code integrity checks
Anti debugging technics
Code obfuscation
3 Skype seen from the network
Skype network obfuscation
Low level data transport
Thought it was over?
How to speak Skype
4 Advanced/diverted Skype functions
Analysis of the login phase
Playing with Skype Traffic
Nice commands
5 Conclusion
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 49/98
52. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Low level datagrams : the big picture
Almost everything is ciphered
Data can be fragmented
Each command comes with its parameters in an object list
The object list can be compressed
Enc Cmd Encod Object list
SoF Frag Compressed list
Ack
Forward Forwarded message
NAck
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 50/98
53. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Object lists
Object List
List size Number
An object can be a number, a
string, an IP:port, or even another IP:port
object list
Each object has an ID List of numbers
Skype knows which object String
corresponds to which command’s
parameter from its ID RSA key
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 51/98
54. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Outline
1 Context of the study
2 Skype protections
Binary packing
Code integrity checks
Anti debugging technics
Code obfuscation
3 Skype seen from the network
Skype network obfuscation
Low level data transport
Thought it was over?
How to speak Skype
4 Advanced/diverted Skype functions
Analysis of the login phase
Playing with Skype Traffic
Nice commands
5 Conclusion
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 52/98
56. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Arithmetic compression
Example
[0, 1] is splited in subintervals for each symbol according to
their frequency
We encode ACAB. First symbol is A. We subdivise its interval
Then comes C
Then A again
Then B
Each real enclosed into this small interval can encode ACAB
0 A 0.5 B 0.625 C 1
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
57. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Arithmetic compression
Example
[0, 1] is splited in subintervals for each symbol according to
their frequency
We encode ACAB. First symbol is A. We subdivise its interval
Then comes C
Then A again
Then B
Each real enclosed into this small interval can encode ACAB
0 A 0.5 B 0.625 C 1
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
58. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Arithmetic compression
Example
[0, 1] is splited in subintervals for each symbol according to
their frequency
We encode ACAB. First symbol is A. We subdivise its interval
Then comes C
Then A again
Then B
Each real enclosed into this small interval can encode ACAB
0 A 0.5 B 0.625 C 1
A
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
59. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Arithmetic compression
Example
[0, 1] is splited in subintervals for each symbol according to
their frequency
We encode ACAB. First symbol is A. We subdivise its interval
Then comes C
Then A again
Then B
Each real enclosed into this small interval can encode ACAB
0 A 0.5 B 0.625 C 1
A
C
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
60. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Arithmetic compression
Example
[0, 1] is splited in subintervals for each symbol according to
their frequency
We encode ACAB. First symbol is A. We subdivise its interval
Then comes C
Then A again
Then B
Each real enclosed into this small interval can encode ACAB
0 A 0.5 B 0.625 C 1
A
C
A
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
61. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Arithmetic compression
Example
[0, 1] is splited in subintervals for each symbol according to
their frequency
We encode ACAB. First symbol is A. We subdivise its interval
Then comes C
Then A again
Then B
Each real enclosed into this small interval can encode ACAB
0 A 0.5 B 0.625 C 1
A
C
A
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
62. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Arithmetic compression
Example
[0, 1] is splited in subintervals for each symbol according to
their frequency
We encode ACAB. First symbol is A. We subdivise its interval
Then comes C
Then A again
Then B
Each real enclosed into this small interval can encode ACAB
0 A 0.5 B 0.625 C 1
A
C
A
Reals here encode ACAB
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98
63. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Outline
1 Context of the study
2 Skype protections
Binary packing
Code integrity checks
Anti debugging technics
Code obfuscation
3 Skype seen from the network
Skype network obfuscation
Low level data transport
Thought it was over?
How to speak Skype
4 Advanced/diverted Skype functions
Analysis of the login phase
Playing with Skype Traffic
Nice commands
5 Conclusion
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 55/98
64. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
How to speak Skype
Skypy, the Scapy add-on
We developed an add-on to Scapy from the “binary
specifications”
It uses the Oracle Revelator shellcode and a TCP←→UNIX
relay to de-obfuscate datagrams
It can reassemble and decode obfuscated TCP streams
It can assemble Skype packets and speak Skype
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 56/98
65. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Example: a Skype startup
>>> a=rdpcap("../cap/skype up.cap")
>>> a[:20].nsummary()
172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r
172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re
172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req
172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid
130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck
172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend
85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck
172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend
130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re
172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re
172.16.72.131:3196 > 85.89.168.113:18812 S
172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck
172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype Resend
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 57/98
66. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Example: a Skype startup
>>> a=rdpcap("../cap/skype up.cap")
>>> a[:20].nsummary()
172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r
172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re
172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req
172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid
130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck
172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend
85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck
172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend
130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re
172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re
172.16.72.131:3196 > 85.89.168.113:18812 S
172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck
172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype Resend
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 57/98
67. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Example: a Skype startup
>>> a=rdpcap("../cap/skype up.cap")
>>> a[:20].nsummary()
172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r
172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re
172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req
172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid
130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck
172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend
85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck
172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend
130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re
172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re
172.16.72.131:3196 > 85.89.168.113:18812 S
172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck
172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype Resend
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 57/98
68. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Example: a Skype startup
>>> a=rdpcap("../cap/skype up.cap")
>>> a[:20].nsummary()
172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r
172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re
172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req
172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid
130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck
172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend
85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck
172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend
130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re
172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re
172.16.72.131:3196 > 85.89.168.113:18812 S
172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck
172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype Resend
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 57/98
69. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Example: a Skype startup
>>> a=rdpcap("../cap/skype up.cap")
>>> a[:20].nsummary()
172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id=0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r
172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re
172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req
172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid
130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck
172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x63 / Skype Resend
85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7f4a func=0x7 / Skype NAck
172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0x7f4a func=0x13 / Skype Resend
130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re
172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re
172.16.72.131:3196 > 85.89.168.113:18812 S
172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re
24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f4e func=0x77 / Skype NAck
172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f4e func=0x23 / Skype Resend
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 57/98
70. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Example: a Skype startup
>>> a[0]
< Ether dst=00:24:13:21:54:11 src=00:12:39:94:2a:ca type=0x800 |< IP
version=4L ihl=5L tos=0x0 len=46 id=0 flags=DF frag=0L ttl=64 proto=UDP
chksum=0xa513 src=172.16.72.131 dst=212.70.204.209 options=’’ |< UDP
sport=2051 dport=23410 len=26 chksum=0x9316 |< Skype SoF id=0x7f46 func=0x2
|< Skype Enc iv=0x93763FBL crc32=0xF28624E6L crypted=’x9ax83)x08Kxc6xa8’
|< Skype Cmd cmdlen=4L is b0=0L is req=1L is b2=0L cmd=27L reqid=32581
val=< Skype Encod encod=0x42 |< Skype Compressed val=[] |>> |>>>>>>
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 58/98
71. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Example: a Skype startup
>>> a[6][UDP].psdump(layer_shift=0.5)
08 03 24 16 00 1f 13 cf
UDP 7f 48 63
01 83 b0 86 56
sport 2051
82 a1 2c 75 f1 02 f0 88 fe 65 13 2c e1 97 ac
dport 9238
len 31
chksum 0x13cf
Skype SoF
id 0x7f48
func 0x63
Skype Resend
adet 0x1
dst 131.176.134.86
src 130.161.44.117
crc 0xF102F088L
reencrypted ’xfeex13,xe1x9[...]
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 59/98
72. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Connection
Request a connection to 67.172.146.158:4344
>>> sr1(IP(dst="67.172.146.158")/UDP(sport=31337,dport=4344)/Skype SoF(
id=RandShort())/Skype Enc()/Skype Cmd(cmd=27, reqid=RandShort(),
val=Skype Encod(encod=0x41)/Skype Objects Set(objnb=0)))
Begin emission:
Finished to send 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
< IP version=4L ihl=5L tos=0x0 len=46 id=48125 flags= frag=0L ttl=107
proto=UDP chksum=0x265 src=67.172.146.158 dst=172.16.15.2 options=’’ |
< UDP sport=4344 dport=31337 len=26 chksum=0xa04d |< Skype SoF
id=0x2f13 func=0x2 | < Skype Enc iv=0x8B3EBE25L crc32=0xAB015175L
crypted=’%xdahxe3Pxddx94’ |< Skype Cmd cmdlen=4L is b0=1L is req=1L
is b2=0L cmd=28L reqid=54822 val=< Skype Encod encod=0x42 |
< Skype Compressed val=[] |>> |>>>>>
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 60/98
73. Skype network obfuscation
Skype protections
Low level data transport
Skype seen from the network
Thought it was over?
Advanced/diverted Skype functions
How to speak Skype
Connection
Ask for other nodes’ IP
>>> sr1(IP(dst="67.172.146.158")/UDP(sport=31337,dport=4344)/Skype_SoF(
id=RandShort())/Skype_Enc()/Skype_Cmd(cmd=6, reqid=RandShort(),
val=Skype_Encod(encod=0x41)/Skype_Objects_Set(objnb=2)
/Skype_Obj_Num(id=0,val=201)/Skype_Obj_Num(id=5,val=100)))
< IP version=4L ihl=5L tos=0x0 len=110 id=56312 flags= frag=0L ttl=107
proto=UDP chksum=0xe229 src=67.172.146.158 dst=172.16.15.2 options=’’ |
< UDP sport=4344 dport=31337 len=90 chksum=0x485d |< Skype SoF
id=0x3c66 func=0x2 | < Skype Enc iv=0x31EB8C94L crc32=0x75012AAFL
crypted=’"xf5x01~xd1xb0(xa8x03xd1xd9x8d6x97xd6x9exc0x04<
x99xf0x0cx14x1dxd6‘xe2xdcxc0xc3x8dxb4Bxa4x9fxd5xbcKx96
xccBxaax17eBt8EA,Kxc2xabx04x11xf2x1fRx93lp.Ix96Hxd4=:x06y
xfb’ |< Skype Cmd cmdlen=69L is b0=1L is req=1L is b2=0L cmd=8L
reqid=45233 val=< Skype Encod encod=0x42 |< Skype Compressed val=[[0,
201L], [2, < Skype INET ip=140.113.228.225 port=57709 |>], [2,
< Skype INET ip=128.239.123.151 port=40793 |>], [2, < Skype INET
ip=82.6.134.18 port=48184 |>], [2, < Skype INET ip=134.34.70.155
port=43794 |>], [2, < Skype INET ip=83.169.167.160 port=33208 |>], [2,
< Skype INET ip=201.235.61.125 port=62083 |>], [2, < Skype INET
ip=140.118.101.109 port=1528 |>], [2, < Skype INET ip=213.73.140.197
port=28072 |>], [2, < Skype INET ip=70.246.101.138 port=29669 |>], [0,
9L], [5, None]] |>> |>>>>>
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 61/98
74. Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands
Outline
1 Context of the study
2 Skype protections
Binary packing
Code integrity checks
Anti debugging technics
Code obfuscation
3 Skype seen from the network
Skype network obfuscation
Low level data transport
Thought it was over?
How to speak Skype
4 Advanced/diverted Skype functions
Analysis of the login phase
Playing with Skype Traffic
Nice commands
5 Conclusion
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 62/98
75. Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands
Trusted data
Embedded trusted data
In order to recognize Skype authority, the binary has 13 moduli.
Moduli
Two 4096 bits moduli
Nine 2048 bits moduli
Three 1536 bits moduli
RSA moduli example
0xba7463f3. . . c4aa7b63
...
0xc095de9e. . . 73df2ea7
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 63/98
76. Skype protections Analysis of the login phase
Skype seen from the network Playing with Skype Traffic
Advanced/diverted Skype functions Nice commands
Finding friends
Embedded data
For the very first connection, IP/PORT are stored in the binary
Moduli
push o f f s e t " * Lib / Connection / LoginServers "
push 45 h
push o f f s e t " 80 .160.91.5 :33033 212 .72.49.141 :33033 "
mov ecx , eax
call sub 98A360
Some login server IP/PORT and Supernode IP/PORT
80.160.91.12:33033
80.160.91.25:33033
64.246.48.23:33033
...
66.235.181.9:33033
212.72.49.143:33033
Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 64/98