A little bit about Trojan.Peskyspy
By
Peter Parkes on September 3, 2009 in Trojans and viruses.
Some of you may have seen stories circulating about a ‘trojan’ (a malicious piece of software) which can listen in to your Skype calls – and I’d like to set the record straight on two points.
- In order for this trojan to ‘listen in’, it has to be run on your computer, which means that your computer is already compromised – e.g. by a virus.
- It doesn’t exploit the Skype software; instead, it ‘listens in’ to the audio data which is transferred between Skype and your computer hardware – your headset and microphone, for example – and it does this using processes which are available in the Microsoft Windows operating system. It’s like standing next to someone when they are talking
So, what should you do? All the usual security recommendations still apply – make sure you don’t open files from people you don’t trust, stay current on patches and updates for your computer and use an up-to-date anti-virus program.
If you’re looking for more details, the security experts at Symantec sum things up pretty nicely over on their blog:
What this threat is doing is actually grabbing the sound coming from the audio devices plugged into the computer. It does this by hooking various Windows API calls that are used in audio input and output. It then is able to intercept all audio data traveling between the Skype process and the underlying audio device. The extracted audio data is then saved to .mp3 files and stored on the computer.
Because the Trojan listens in the data traveling between the Skype process and the audio device, it gathers the audio independently of any application-specific protocols or encryption applied by Skype when it passes voice data at the network level. Essentially, it sits below these security measures, recording the audio at the Windows level—before outbound audio from the microphone gets to Skype and after incoming audio leaves Skype and reaches the speakers.
Finally, the Trojan contains a back door, which enables an attacker to have the stolen audio conversations sent to a predetermined location, where they can later be listened to.
In terms of impact, we don’t see this threat gaining much of a foothold out in the wild. What we’ve seen is largely proof-of-concept and does not contain any method to spread from one computer to another. However, it is possible that we will see variations on this Trojan theme in the future. With this in mind we recommend keeping your virus definition and IPS signatures up-to-date.
