Skype Security Blog

Some of you may have seen stories circulating about a ‘trojan’ (a malicious piece of software) which can listen in to your Skype calls – and I’d like to set the record straight on two points.

• In order for this trojan to ‘listen in’, it has to be run on your computer, which means that your computer is already compromised – e.g. by a virus.
• It doesn’t exploit the Skype software; instead, it ‘listens in’ to the audio data which is transferred between Skype and your computer hardware – your headset and microphone, for example – and it does this using processes which are available in the Microsoft Windows operating system. It’s like standing next to someone when they are talking

So, what should you do? All the usual security recommendations still apply – make sure you don’t open files from people you don’t trust, stay current on patches and updates for your computer and use an up-to-date anti-virus program.

If you’re looking for more details, the security experts at Symantec sum things up pretty nicely over on their blog:

What this threat is doing is actually grabbing the sound coming from the audio devices plugged into the computer. It does this by hooking various Windows API calls that are used in audio input and output. It then is able to intercept all audio data traveling between the Skype process and the underlying audio device. The extracted audio data is then saved to .mp3 files and stored on the computer.

Because the Trojan listens in the data traveling between the Skype process and the audio device, it gathers the audio independently of any application-specific protocols or encryption applied by Skype when it passes voice data at the network level. Essentially, it sits below these security measures, recording the audio at the Windows level—before outbound audio from the microphone gets to Skype and after incoming audio leaves Skype and reaches the speakers.

Finally, the Trojan contains a back door, which enables an attacker to have the stolen audio conversations sent to a predetermined location, where they can later be listened to.

In terms of impact, we don’t see this threat gaining much of a foothold out in the wild. What we’ve seen is largely proof-of-concept and does not contain any method to spread from one computer to another. However, it is possible that we will see variations on this Trojan theme in the future. With this in mind we recommend keeping your virus definition and IPS signatures up-to-date.

A browser-level vulnerability has been revealed by Secure Science Corporation that could impact Skype users.

Continue reading "Cross-Site Request Forgery (CSRF) Vulnerability" »

It appears that someone is attempting to perpetrate a form of the ‘Nigerian’ or ‘Foreign Lottery’ scam using the Skype brand, promising to pay significant prize winnings in a contest.

If you have received an email that appears to be from Skype, please do not respond and/or share any personal and private information as the result of this email.

Here's the version of the message we've seen making the rounds:

It appears some of our users have been subject to phishing emails - if you have received an email that appears to be from Skype, please DO NOT enter your username and password as the result of this email.

Also, as a consequence of this, skype.com's mail servers are currently down (we are subject to a flood of bounced emails from emails that do not exist as a result of the phishing emails) - this means our customer support is not currently contactable.

We are doing our best to resolve this situation as quickly as we can and will post updates here as soon as we have them. Please bear with us during while work on solving this.

UPDATE: We are happy to let you know that our mail servers are back up, customer support is available and the phishing sites associated with this incident are no longer active. As a reminder, we strongly encourage users to be cautious when responding to any email that requests sensitive personal information.

Earlier this week, security researchers at the Microsoft Malware Protection Center discovered that some Microsoft antimalware products such as Windows Live OneCare were incorrectly identifying some versions of Skype as malware. Such products may stop Skype’s operation and falsely notify the user about the following malware: Trojan:Win32/Vundo.gen!D.

The issue may have affected users of the following Microsoft antimalware products: Microsoft Forefront Client Security, Windows Live OneCare and Windows Live OneCare Safety Scanner. Microsoft has already released an update (a fixed signature file) which was pushed to users of Microsoft's antimalware products.

Once the fixed signature is deployed, Skype should be able to run normally. The fix is included in signature files version 1.31.9121.0 and higher. More information is available here.

We've seen some instances where a chat message masquerading as a link to an image file instead leads to a piece of malware. The chat messages may look similar to this:

If you receive something like this through a Skype chat message, do not be alarmed. Instead, ignore it and block the sender. Do not click on the link or open the file that the link points to.

When executed, however, the Trojan downloader creates a Microsoft Studio Files folder in the Program Files directory, populating it with a copy of itself (lsass.exe) as well as a script file (vcdg.bat) that helps it bypass the Windows firewall. The program also changes the Windows registry to enable automatic execution upon Windows startup and to bypass the Windows firewall. Following these steps, the program downloads files into the infected system.

The Skype security team would like to remind users to keep their antivirus software updated and maintain a skeptical eye toward chat messages that don't seem quite right and contain internet links, whether they appear to come from friends or total strangers.

We recently disabled the ability to use Skype's Live tab to download clips from the Dailymotion and Metacafe video galleries. We took this step as a cautionary measure after security researchers found a vulnerability in Skype 3.5 and 3.6 for Windows that would have allowed an attacker to execute arbitrary code on a Skype user’s Windows PC without their consent.

As we said in our post on January 18, the measure would be temporary. That is, until an official fix to the vulnerability would be made available. We are pleased to report that the core vulnerability has now been addressed and a fix is included in the latest build of Skype for Windows, 3.6.0.248.

For those who have upgraded to the latest build, we have now re-enabled video downloads from both Dailymotion and Metacafe. Users of older versions of Skype for Windows will not be able to access these video galleries and will need to upgrade.

Last but not least, we'd like to encourage all users to frequently upgrade their version of Skype. This helps ensure that the Skype experience is safer and more enjoyable.

A vulnerability that allowed an attacker to execute arbitrary code on a Skype user's Windows PC without their consent has been discovered in Skype and on Dailymotion, the video-sharing site where Skype users can download video clips and add them to their Skype moods and chats.

The vulnerability had the potential to affect users of Skype 3.5 and 3.6 for Windows who, in Skype's video gallery, navigated to a Dailymotion video with a specially crafted title.

The issue, demonstrated by security researchers as a proof of concept, was neutralized before actual attackers took advantage of it, therefore Skype users are unlikely to have been affected. Skype has temporarily disabled users' ability to add videos from the Dailymotion gallery until an official fix has been made available. In turn, Dailymotion is addressing the vulnerability on their web site.

For a more detailed description of the issue, please see the most recent Skype Security Bulletin.

Update: We've also temporarily disabled the ability to add videos from the Metacafe video gallery. Both Dailymotion and Metacafe videos will be re-enabled as soon as an official fix has been made available.

- - -

Final update on Feb. 6, 2008 - the issue has been resolved. Please see today's post for more information.

In early November, Zero Day Initiative informed Skype of a vulnerability that allows a remote attacker to execute arbitrary code, provided that the user visits a malicious website.

The flaw exists within the skype4com URI handler component of Skype. An exploitable memory corruption may occur during the parsing of URIs which can result in arbitrary code execution under the user rights of the current Windows account.

The issue was fixed in the public release of Skype 3.6 for Windows. All versions of Skype for Windows updated or installed as of November 15 include the patch.

At Skype, we strive to inform the public of vulnerabilities and malware that may affect Skype software. While this particular vulnerability was fixed, there was an unintentional communication oversight and we failed to bring the case to the public's attention. All we can do now is to apologize.

Meanwhile, we'd like to advise users to always upgrade to the latest version of Skype. This ensures access to the latest features, improvements and fixes, and helps get the most out of your Skype experience.

Looks like virus writers are at it again. Some Skype users have been contacted over chat by people warning against viruses and offering to send the user a file that masquerades as Spyware Doctor, a popular anti-malware program from PC Tools. Needless to say, the file they're attempting to send (SpyWareDoctorSetup.exe) is not the real thing. Instead, it's a piece of malware, affecting Windows users. Do not accept or run this executable file.

Continue reading "Password stealer" »