Sei sulla pagina 1di 115

Skype protections Skype seen from the network Advanced/diverted Skype functions

Silver Needle in the Skype

Silver Needle in the Skype
Advanced/diverted Skype functions Silver Needle in the Skype Philippe BIONDI Fabrice DESCLAUX phil(at)secdev.org /
Advanced/diverted Skype functions Silver Needle in the Skype Philippe BIONDI Fabrice DESCLAUX phil(at)secdev.org /
Advanced/diverted Skype functions Silver Needle in the Skype Philippe BIONDI Fabrice DESCLAUX phil(at)secdev.org /

Philippe BIONDI Fabrice DESCLAUX

phil(at)secdev.org / philippe.biondi(at)eads.net serpilliere(at)rstack.org / fabrice.desclaux(at)eads.net EADS Corporate Research Center — DCR/STI/C IT sec Lab Suresnes, FRANCE

BlackHat Europe, March 2 nd and 3 rd , 2006

BlackHat Europe, March 2 n d and 3 r d , 2006 Philippe BIONDI, Fabrice DESCLAUX

Skype protections Skype seen from the network Advanced/diverted Skype functions

Outline

1 2
1
2
the network Advanced/diverted Skype functions Outline 1 2 3 4 5 Context of the study Skype
3
3
the network Advanced/diverted Skype functions Outline 1 2 3 4 5 Context of the study Skype
the network Advanced/diverted Skype functions Outline 1 2 3 4 5 Context of the study Skype
4
4
network Advanced/diverted Skype functions Outline 1 2 3 4 5 Context of the study Skype protections
5
5

Context of the study

Skype protections Binary packing

Code integrity checks Anti debugging technics Code obfuscation

Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands

Conclusion

phase Playing with Skype Traffic Nice commands Conclusion Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Problems with Skype

The network view

From a network security administrator point of view Almost everything is obfuscated (looks like /dev/random)
From a network security administrator point of view
Almost everything is obfuscated (looks like /dev/random)
Peer to peer architecture
many peers
no clear identification of the destination peer
Automatically reuse proxy credentials
Traffic even when the software is not used (pings, relaying)
=⇒ Impossibility to distinguish normal behaviour from information
exfiltration (encrypted traffic on strange ports, night activity)
=⇒ Jams the signs of real information exfiltration
=⇒ Jams the signs of real information exfiltration Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Problems with Skype

The system view

From a system security administrator point of view

From a system security administrator point of view
 

Many protections 

Many antidebugging tricksadministrator point of view   Many protections Much ciphered code A product that works well for

Much ciphered codeof view   Many protections Many antidebugging tricks A product that works well for free (beer)

A product that works well for free (beer) ?! From a company not involved on Open Source ?!protections Many antidebugging tricks Much ciphered code = ⇒ Is there something to hide ? =

=Is there something to hide ?

=Impossible to scan for trojan/backdoor/malware inclusion

on Open Source ?! = ⇒ Is there something to hide ? = ⇒ Impossible to
on Open Source ?! = ⇒ Is there something to hide ? = ⇒ Impossible to
Impossible to scan for trojan/backdoor/malware inclusion Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Problems with Skype

Some legitimate questions

The Chief Security Officer point of view

The Chief Security Officer point of view
 

Is Skype a backdoor ? 

Can I distinguish Skype’s traffic from real data exfiltration ?Security Officer point of view   Is Skype a backdoor ? Can I block Skype’s traffic

Can I block Skype’s traffic ? Is Skype a risky program for my sensitive business ?point of view   Is Skype a backdoor ? Can I distinguish Skype’s traffic from real

 
 
 
Skype a risky program for my sensitive business ?   Philippe BIONDI, Fabrice DESCLAUX Silver Needle

connected

Skype protections Skype seen from the network Advanced/diverted Skype functions

Problems with Skype

Idea of usage inside companies ?

At least 700k regularly used only on working days.

6e+06 5.5e+06 5e+06 4.5e+06 4e+06 3.5e+06 3e+06 2.5e+06 2e+06 0 500 1000 1500 2000 2500
6e+06
5.5e+06
5e+06
4.5e+06
4e+06
3.5e+06
3e+06
2.5e+06
2e+06
0
500
1000
1500
2000
2500

time

3e+06 2.5e+06 2e+06 0 500 1000 1500 2000 2500 time Philippe BIONDI, Fabrice DESCLAUX Silver Needle

Skype protections Skype seen from the network Advanced/diverted Skype functions

Problems with Skype

Context of our study

Our point of view

Our point of view
 

We need to interoperate Skype protocol with our firewalls 

We need to check for the presence/absence of backdoorsWe need to interoperate Skype protocol with our firewalls We need to check the security problems

We need to check the security problems induced by the use of Skype in a sensitive environment  We need to interoperate Skype protocol with our firewalls We need to check for the

of backdoors We need to check the security problems induced by the use of Skype in
of backdoors We need to check the security problems induced by the use of Skype in
induced by the use of Skype in a sensitive environment Philippe BIONDI, Fabrice DESCLAUX Silver Needle

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Outline

1 2
1
2
checks Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study
3
3
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
4
4
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
5
5

Context of the study

Skype protections Binary packing

Code integrity checks Anti debugging technics Code obfuscation

Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands

Conclusion

phase Playing with Skype Traffic Nice commands Conclusion Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Encryption

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Avoiding static disassembly

technics Code obfuscation Avoiding static disassembly Some parts of the binary are xored by a hard-coded
Some parts of the binary are xored by a hard-coded key In memory, Skype is

Some parts of the binary are xored by a hard-coded key In memory, Skype is fully decrypted

Some parts of the binary are xored by a hard-coded key In memory, Skype is fully
by a hard-coded key In memory, Skype is fully decrypted Skype Binary Decryption Procedure: Each encrypted
Skype Binary Decryption Procedure: Each encrypted part of the binary will be decrypted at run
Skype Binary
Decryption Procedure:
Each encrypted part
of the binary will be
decrypted at run time.
Clear part
Encrypted part
will be decrypted at run time. Clear part Encrypted part Philippe BIONDI, Fabrice DESCLAUX Silver Needle

Skype protections Skype seen from the network Advanced/diverted Skype functions

Structure overwriting

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Anti-dumping tricks

Anti-dumping tricks
 
1
1

The program erases the beginning of the code

 
2
2

The program deciphers encrypted areas

3
3

Skype import table is loaded, erasing part of the original import table

 
 
 
Code   Erased code   Erased code   Erased code

Code

 

Erased code

 

Erased code

 

Erased code

Transition code

Transition code Transition code Transition code Transition code

Transition code

Transition code Transition code Transition code Transition code

Transition code

Transition code

Ciphered

Ciphered

Deciphered

Ciphered Ciphered Deciphered Deciphered

Deciphered

code

code

 

code

code

Original

Original

Original

 

Original

import table

import table

import table

import table

Skype

     

import table

import table Skype       import table Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the
import table Skype       import table Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Unpacking

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Binary reconstruction

Binary reconstruction

Skype seems to have its own packer. We need an unpacker to build a clean binary

 
1
1

Read internal area descriptors

2
2

Decipher each area using keys stored in the binary

3
3

Read all custom import table

4
4

Rebuild new import table with common one plus custom one in another section

5
5

Patch to avoid auto decryption

   
   
5 Patch to avoid auto decryption     Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Unpacking

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Erased code

 

Erased code

Transition code

Modified

Transition code

Deciphered

Deciphered Deciphered

Deciphered

code

code

Original

 

Old original

import table

import table

Skype

Old Skype

import table

import table

 

New full

import

table

import table   New full import table Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the
import table   New full import table Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Some statistics

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Ciphered vs clear code

Ciphered vs clear code Legend: Code Data Unreferenced code

Legend: Code Data Unreferenced code

vs clear code Legend: Code Data Unreferenced code Ciphered vs clear code Libraries used in hidden
Ciphered vs clear code Libraries used in hidden imports KERNEL32.dll 674 classic imports WINMM.dll 169
Ciphered vs clear code
Libraries used in hidden imports
KERNEL32.dll
674
classic imports
WINMM.dll
169
hidden imports
WS2 32.dll
RPCRT4.dll
.
.
.
169 hidden imports WS2 32.dll RPCRT4.dll . . . Philippe BIONDI, Fabrice DESCLAUX Silver Needle in

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Outline

1 2
1
2
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
3
3
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
4
4
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
5
5

Context of the study

Skype protections Binary packing

Code integrity checks Anti debugging technics Code obfuscation

Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands

Conclusion

phase Playing with Skype Traffic Nice commands Conclusion Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Checksumers scheme in Skype

Checksumers scheme Checker 1 Checker’ 1 Checker 2 Checker’ 2 Code Checker Checker’ Checker N
Checksumers scheme
Checker 1
Checker’ 1
Checker 2
Checker’ 2
Code
Checker
Checker’
Checker N
Checker’ N
Main scheme of Skype code checkers
Checker N Checker’ N Main scheme of Skype code checkers Philippe BIONDI, Fabrice DESCLAUX Silver Needle

Skype protections Skype seen from the network Advanced/diverted Skype functions

s t a r t :

Binary packing Code integrity checks Anti debugging technics Code obfuscation

 

x o r

e di

,

e d i

add

e di

, Ox688E5C

 

mov

eax , Ox320E83

x

o r

mov

eax , Ox1C4C4 ebx , eax ebx , OxFFCC5AFD

 

add

l

o o p s t a r t :

 
 

mov

ecx

[ e d i +Ox10 ]

jmp

, l b l 1

db Ox19

 

l

b l 1

:

 

sub

eax e di ebx

,

ec x

sub

,

1

dec

 

j

n z

l o o p s t a r t l b l 2

 

jmp

db Ox73

 

l

b l 2 :

 
 

jmp dd db

l b l 3 OxC8528417 , OxD8FBBD1 , OxA36CFB2F , OxE8D6E4B7 , OxC0B8797A Ox61 , OxBD

l b l 3 OxC8528417 , OxD8FBBD1 , OxA36CFB2F , OxE8D6E4B7 , OxC0 B8797A Ox61 ,

l

b l 3 :

 
 

sub

eax , Ox4C49F346

  sub eax , Ox4C49F346

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Semi polymorphic checksumers

Interesting characteristics

 
Interesting characteristics  
 

Each checksumer is a bit different: they seem to be polymorphic 

They are executed randomlychecksumer is a bit different: they seem to be polymorphic The pointers initialization is obfuscated with

The pointers initialization is obfuscated with computationsthey seem to be polymorphic They are executed randomly The loop steps have different values/signs Checksum

The loop steps have different values/signsThe pointers initialization is obfuscated with computations Checksum operator is randomized (add, xor, sub, )

Checksum operator is randomized (add, xor, sub,)

)

Checksumer length is randomChecksum operator is randomized (add, xor, sub, ) Dummy mnemonics are inserted Final test is not

Dummy mnemonics are insertedrandomized (add, xor, sub, ) Checksumer length is random Final test is not trivial: it can

Final test is not trivial: it can use final checksum to compute a pointer for next code part.values/signs Checksum operator is randomized (add, xor, sub, ) Checksumer length is random Dummy mnemonics are

mnemonics are inserted Final test is not trivial: it can use final checksum to compute a
use final checksum to compute a pointer for next code part. Philippe BIONDI, Fabrice DESCLAUX Silver
use final checksum to compute a pointer for next code part. Philippe BIONDI, Fabrice DESCLAUX Silver

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Semi polymorphic checksumers

But

 
But  

They are composed of

 
  A pointer initialization

A pointer initialization

A loop

A loop

A lookup

A lookup

A test/computation

A test/computation

We can build a script that spots such code

 
 
 
We can build a script that spots such code   Philippe BIONDI, Fabrice DESCLAUX Silver Needle

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Global checksumer scheme

Each rectangle represents a checksumerdebugging technics Code obfuscation Global checksumer scheme An arrow represents the link checker/checked In fact, there

An arrow represents the link checker/checkedchecksumer scheme Each rectangle represents a checksumer In fact, there were nearly 300 checksums Philippe BIONDI,

In fact, there were nearly 300 checksumsa checksumer An arrow represents the link checker/checked Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

checker/checked In fact, there were nearly 300 checksums Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

How to get the computed value

 

Solution 1

  Solution 1
 
  Put a breakpoint on each checksumer

Put a breakpoint on each checksumer

Collect all the computed values during a run of the program J Software breakpoints change the checksums ² We only have 4 hardware breakpoints =Twin processes debugging

J Software breakpoints change the checksums ² We only have 4 hardware breakpoints = ⇒ Twin
 
 
 

Solution 2

= ⇒ Twin processes debugging   Solution 2 Emulate the code Philippe BIONDI, Fabrice DESCLAUX Silver

Emulate the code

processes debugging   Solution 2 Emulate the code Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the
processes debugging   Solution 2 Emulate the code Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the
processes debugging   Solution 2 Emulate the code Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Twin processes debugging

1
1

Put software breakpoints on every checksumers of one process

2
2

Run it until it reaches a breakpoint

3
3

Put 2 hardware breakpoints before and after the checksumer of the twin process

4
4

Use the twin process to compute the checksum value

5
5

Write it down

6
6

Report it into the first process and jump the checksumer

7
7

Go to point 2

process and jump the checksumer 7 Go to point 2 Philippe BIONDI, Fabrice DESCLAUX Silver Needle

Skype protections Skype seen from the network Advanced/diverted Skype functions

Twin processes debugging

Binary packing Code integrity checks Anti debugging technics Code obfuscation Hard Process 2
Binary packing
Code integrity checks
Anti debugging technics
Code obfuscation
Hard
Process 2
Process 1 Soft Twin Debugger
Process 1
Soft
Twin
Debugger

PC

Hard Process 2 Process 1 Soft Twin Debugger PC Philippe BIONDI, Fabrice DESCLAUX Silver Needle in

Skype protections Skype seen from the network Advanced/diverted Skype functions

Twin processes debugging

Binary packing Code integrity checks Anti debugging technics Code obfuscation Hard Process 2
Binary packing
Code integrity checks
Anti debugging technics
Code obfuscation
Hard
Process 2
Process 1 Soft Twin Debugger
Process 1
Soft
Twin
Debugger

PC

Hard Process 2 Process 1 Soft Twin Debugger PC Philippe BIONDI, Fabrice DESCLAUX Silver Needle in

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Twin processes debugging

PC

Process 1 Soft Hard Process 2 Twin Debugger
Process 1
Soft
Hard
Process 2
Twin
Debugger
PC Process 1 Soft Hard Process 2 Twin Debugger Philippe BIONDI, Fabrice DESCLAUX Silver Needle in

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Twin processes debugging

Twin processes debugger using PytStop [PytStop] im p o r t p y t s
Twin processes debugger using PytStop [PytStop]
im p o r t p y t s t o p
ch
ec k sum e r s = { s t a
r t
: s top ,
.
.
.
}
p
=
p y t s t o p
.
s t r a c e
( " / usr / bin / skype " )
q
= p y t s t o p
.
s t r a c e
( " / usr / bin / skype " )
f o r bp
i n checksume r .
k e y s ( ) :
p .
s e t b p
( bp )
w h i l e
1 :
p
. con t (
)
hbp =
q
. s
e
t h b p ( ch ec k sum e r s [ p .
e i p
] )
q
. con t (
)
q
. d e l h b p
( hbp )
p r i n t " Checksumer at
%08 x set
eax =%08 x" % ( p . ei p , q . eax )
p
. eax
=
q . eax
p
. e i p
= q . e i p
Silver Needle in the Skype
Silver Needle in the Skype

Philippe BIONDI, Fabrice DESCLAUX

23/98

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Checksum execution and patch

Solution 2

Solution 2
 
1
1

Compute checksum for each one

2
2

The script is based on a x86 emulator

3
3

Spot the checksum entry-point: the pointer initialization

4
4

Detect the end of the loop

5
5

Then, replace the whole loop by a simple affectation to the final checksum value

=Each checksum is always correct And Skype runs faster! ©

 
 
 
is always correct And Skype runs faster! ©   Philippe BIONDI, Fabrice DESCLAUX Silver Needle in

Skype protections Skype seen from the network Advanced/diverted Skype functions

s t a r t :

l

x o r

add

mov

x

mov

add

o r

e di

e di

eax , Ox320E83

eax , Ox1C4C4 ebx , eax ebx , OxFFCC5AFD

,

e d i

, Ox688E5C

o o p s t a r t :

mov

jmp

db Ox19

l

b l 1

:

sub

sub

dec

j n z

jmp

db Ox73

l

b l 2 :

jmp dd db

l

b l 3 :

sub

ecx

, l b l 1

[ e d i +Ox10 ]

eax e di ebx

,

,

ec x

1

l o o p s t a r t l b l 2

l b l 3 OxC8528417 , OxD8FBB [ Ox61 , OxBD

eax , Ox4C49F346

Philippe BIONDI, Fabrice DESCLAUX

]

Binary packing Code integrity checks Anti debugging technics Code obfuscation

s t a r t :

l

x o r

add

mov

x o r

mov

add

o o p s t a r t :

mov

jmp

db Ox19

l

b l 1

:

mov

nop

.

nop

[

.

.

]

jmp

db Ox73

l

b l 2 :

e di

e di

eax ,

eax , Ox1C4C4

ebx ,

ebx ,

,

e d i

, Ox688E5C

Ox320E83

eax

OxFFCC5AFD

ecx

, l b l 1

[ e d i +Ox10 ]

eax ,

Ox4C49F311

l b l 2

l

jmp dd db

b l 3 :

l b l 3 OxC8528417 , OxD8FBB [ Ox61 , OxBD

]
]

sub

dd db b l 3 : l b l 3 OxC8528417 , OxD8FBB [ Ox61 ,

eax , Ox4C49F346

dd db b l 3 : l b l 3 OxC8528417 , OxD8FBB [ Ox61 ,

Silver Needle in the Skype

25/98

Skype protections Skype seen from the network Advanced/diverted Skype functions

Last but not least

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Signature based integrity-check There is a final check: Integrity check based on RSA signature Moduli
Signature based integrity-check
There is a final check: Integrity check based on RSA signature
Moduli stored in the binary
l
e a
eax
,
mov
edx
,
[ ebp+ v a r C ]
o f f s e t " 65537 "
c a l
l
s t r t o
b i g n um
l
e a
,
edx ,
eax
mov
[ ebp+ v a r 1 0 ]
o f f s e t " 381335931360376775423064342989367511
"
c a l
l
s t r t o
b i g n um
" c a l l s t r t o b i g n um Philippe

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Outline

1 2
1
2
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
3
3
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
4
4
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
5
5

Context of the study

Skype protections Binary packing

Code integrity checks Anti debugging technics Code obfuscation

Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands

Conclusion

phase Playing with Skype Traffic Nice commands Conclusion Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Counter measures against dynamic attack

Counter measures against dynamic attack

Counter measures against dynamic attack
 

Skype has some protections against debuggers   

 

Anti Softice: It tries to load its driver. If it works, Softice is loaded.Skype has some protections against debuggers   Generic anti-debugger: The checksums spot software

Generic anti-debugger: The checksums spot software breakpoints as they change the integrity of the binarysome protections against debuggers   Anti Softice: It tries to load its driver. If it works,

is loaded. Generic anti-debugger: The checksums spot software breakpoints as they change the integrity of the
is loaded. Generic anti-debugger: The checksums spot software breakpoints as they change the integrity of the

Counter counter measures

change the integrity of the binary Counter counter measures The Rasta Ring 0 Debugger [RR0D] is

The Rasta Ring 0 Debugger [RR0D] is not detected by Skype [RR0D] is not detected by Skype

The Rasta Ring 0 Debugger [RR0D] is not detected by Skype Philippe BIONDI, Fabrice DESCLAUX Silver
The Rasta Ring 0 Debugger [RR0D] is not detected by Skype Philippe BIONDI, Fabrice DESCLAUX Silver
The Rasta Ring 0 Debugger [RR0D] is not detected by Skype Philippe BIONDI, Fabrice DESCLAUX Silver
The Rasta Ring 0 Debugger [RR0D] is not detected by Skype Philippe BIONDI, Fabrice DESCLAUX Silver

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Binary protection: Anti debuggers

The easy one: First Softice test mov eax , o f f s e t
The easy one: First Softice test
mov eax , o f f s e t s t r S i w v i d ; "\\\\ . \\ Siwvid "
c a l l
t e s t d r i v e r
t e s t
al ,
a l
Hidden test: It checks whether Softice is in the Driver list c a l l
Hidden test: It checks whether Softice is in the Driver list
c a l l EnumD e vic eD ri v e r s
. .
.
c a l l GetDeviceDriverBaseNameA
. .
cmp eax , ’ ntic ’
.
j n z n e x t
cmp ebx , ’ e.sy ’
j n z n e x t
cmp ecx , ’s \ x00 \ x00 \ x00 ’
j n z n e x t

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Binary protection: Anti debuggers

Anti-anti Softice

Anti-anti Softice

IceExt is an extension to Softice

cmp

e s i , ’ icee ’

j

n z

s h o r t n e x t e di , ’ xt.s ’

cmp

j

n z

s h o r t n e x t eax , ’ys \ x00 \ x00 ’

cmp

j

n z

s h o r t n e x t

 
 
 
 
Timing measures Skype does timing measures in order to check if the process is debugged
Timing measures
Skype does timing measures in order to check if the process is
debugged or not
c a l l
mov
g e t t i c k c o u n t
g e t t i c k c o u n t r e s u l t , eax

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Binary protection: Anti debuggers

Counter measures

Counter measures When it detects an attack, it traps the debugger : registers are randomized a

When it detects an attack, it traps the debugger :

registers are randomized a random page is jumped into

It’s is difficult to trace back the detection because there is n o more stack frame, no EIP,

p u s h f pusha mov

s a v e e s p , esp

mov

esp

,

a d a l l o c ?

add

esp

,

r a n d om v al u e

sub

esp

,

20 h

popa jmp

random mapped page

a d a l l o c ? add esp , r a n d om
sub esp , 20 h popa jmp random mapped page Philippe BIONDI, Fabrice DESCLAUX Silver Needle
sub esp , 20 h popa jmp random mapped page Philippe BIONDI, Fabrice DESCLAUX Silver Needle
sub esp , 20 h popa jmp random mapped page Philippe BIONDI, Fabrice DESCLAUX Silver Needle
sub esp , 20 h popa jmp random mapped page Philippe BIONDI, Fabrice DESCLAUX Silver Needle

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Binary protection: Anti debuggers

Solution

Solution
 

The random memory page is allocated with special characteristics 

So breakpoint on malloc() , filtered with those properties in order to spot the creation of this page malloc(), filtered with those properties in order to spot the creation of this page

We then spot the pointer that stores this page locationthose properties in order to spot the creation of this page We can then put an

We can then put an hardware breakpoint to monitor it, and break in the detection codewith those properties in order to spot the creation of this page We then spot the

that stores this page location We can then put an hardware breakpoint to monitor it, and
that stores this page location We can then put an hardware breakpoint to monitor it, and
breakpoint to monitor it, and break in the detection code Philippe BIONDI, Fabrice DESCLAUX Silver Needle

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Outline

1 2
1
2
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
3
3
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
4
4
Anti debugging technics Code obfuscation Outline 1 2 3 4 5 Context of the study Skype
5
5

Context of the study

Skype protections Binary packing

Code integrity checks Anti debugging technics Code obfuscation

Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands

Conclusion

phase Playing with Skype Traffic Nice commands Conclusion Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Protection of sensitive code

Code obfuscation

obfuscation Protection of sensitive code Code obfuscation The goal is to protect code from being reverse
The goal is to protect code from being reverse engineered Principle used here: mess the

The goal is to protect code from being reverse engineered Principle used here: mess the code as much as possible

The goal is to protect code from being reverse engineered Principle used here: mess the code
Principle used here: mess the code as much as possible Advantages Slows down code study Avoids

Advantages

used here: mess the code as much as possible Advantages Slows down code study Avoids direct
Slows down code study Avoids direct code stealing

Slows down code study Avoids direct code stealing

Advantages Slows down code study Avoids direct code stealing Drawbacks Slows down the application Grows software
Advantages Slows down code study Avoids direct code stealing Drawbacks Slows down the application Grows software

Drawbacks

Drawbacks Slows down the application Grows software size
Slows down the application Grows software size

Slows down the application Grows software size

Drawbacks Slows down the application Grows software size
Drawbacks Slows down the application Grows software size Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the
Drawbacks Slows down the application Grows software size Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Techniques used

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Code indirection calls sub 9F8F70 : mov eax , , [ ec x +34 h
Code indirection calls
sub 9F8F70 :
mov
eax
,
,
[
ec x +34 h ]
sub
eax
,
mov
mov
edx
,
[
ecx
,
9 FFB40h
7 F80h
7799 C1Fh
[ ebp − 14 h ]
mov
push
mov
sub
eax
e s i
e s i ,
eax ,
a l l
neg
add
c
eax ; sub_9F7BC0
eax
e s i ,
,
eax ,
ec x +44 h ]
292 C1156h
eax
eax
eax
,
371509 EBh
edx
mov
mov
edx ,
ecx
,
19 C87A36h
0 CCDACEF0h
[ ebp − 14 h ]
c
a l l
eax
add
mov
sub
mov
x o r
pop
r e t n
[ ec x +44 h ] , e s i
eax , 40 F0FC15h
e s i
; eax = 009 F8F70
Principle
Each call is dynamically computed: difficult to follow statically

Skype protections Skype seen from the network Advanced/diverted Skype functions

In C, this means

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Determined conditional jumps . . . i f ( s i n ( a )
Determined conditional jumps
. .
.
i f
(
s i n
( a ) == 42 ) {
do dummy stuff ( ) ;
}
go on ( ) ;
. .
.
a ) == 42 ) { do dummy stuff ( ) ; } go on (

Skype protections Skype seen from the network Advanced/diverted Skype functions

Techniques used

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Execution flow rerouting l e a edx , [ esp +4+ v a r 4
Execution flow rerouting
l e a
edx , [ esp +4+ v a r 4 ]
add
eax ,
o f f s e t a r e a
edx
3 D4D101h
Sometimes, the code raises
an exception
push
An error handler is called
push
mov
[ esp +0Ch+ v a r 4
] , eax
c a l l
R a i s e E x c e p t i o n
If it’s a fake error, the
handler tweaks memory
r
o
l
eax
,
17 h
addresses and registers
o
pop
x
r
eax
,
350 CA27h
ec x
=⇒ back to the calling code
Principle
Hard to understand the whole code: we have to stop the error
handler and study its code.

Skype protections Skype seen from the network Advanced/diverted Skype functions

Binary packing Code integrity checks Anti debugging technics Code obfuscation

Bypassing this little problem

Bypassing this little problem

Bypassing this little problem Bypassing this little problem In some cases we were able to avoid
In some cases we were able to avoid the analysis We injected shellcodes to parasitize

In some cases we were able to avoid the analysis We injected shellcodes to parasitize these functions

We injected shellcodes to parasitize these functions Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the
We injected shellcodes to parasitize these functions Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the
We injected shellcodes to parasitize these functions Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Outline

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

1 2
1
2
data transport Thought it was over? How to speak Skype 1 2 3 4 5 Context
3
3
transport Thought it was over? How to speak Skype 1 2 3 4 5 Context of
transport Thought it was over? How to speak Skype 1 2 3 4 5 Context of
4
4
transport Thought it was over? How to speak Skype 1 2 3 4 5 Context of
5
5

Context of the study

Skype protections Binary packing

Code integrity checks Anti debugging technics Code obfuscation

Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands

Conclusion

phase Playing with Skype Traffic Nice commands Conclusion Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Skype on UDP

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Skype UDP start of frame

Skype UDP start of frame Begin with a Start of Frame layer compounded of a frame
Begin with a Start of Frame layer compounded of a frame ID number (2 bytes)
Begin with a Start of Frame layer compounded of
a frame ID number (2 bytes)
a type of payload (1 byte). Either :
Obfuscated payload
Ack / NAck packet
payload forwarding packet
payload resending packet
few other stuffs
packet payload resending packet few other stuffs Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the
packet payload resending packet few other stuffs Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the
packet payload resending packet few other stuffs Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the
packet payload resending packet few other stuffs Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the
packet payload resending packet few other stuffs Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Skype Network Obfuscation Layer 45 00 00 2e 00 04 40 00 40 11 eb
Skype Network Obfuscation Layer
45
00
00 2e
00
04
40
00
40
11
eb 75
ac 10 48 83
IP
18 62 42 50
version
4L
08
03
20
53
00 1a
21 9c
7f 4e
02
ihl
5L
11
tos
0x0
8a c0 37
fc 95 75 5e
5e b9 81 7a 8e fa 81
len
46
id
4
flags
DF
frag
0L
ttl
64
proto
UDP
chksum
0xeb75
src
172.16.72.131
dst
24.98.66.80
options
UDP
sport
2051
dport
8275
len
26
chksum
0x219c
Skype SoF
id
0x7f4e
func
0x2
Skype Crypted Data
iv
0x118AC037L
crc32
0xFC95755EL
crypted
’ˆ\xb9\x81z\x8e \xf[ ]
crc32 0xFC95755EL crypted ’ˆ\xb9\x81z\x8e \xf[ ] Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Skype Network Obfuscation Layer

Data are encrypted withwas over? How to speak Skype Skype Network Obfuscation Layer RC4 The RC4 key is calculated

RC4

The RC4 key is calculated with elements from the datagramSkype Network Obfuscation Layer Data are encrypted with RC4 public source and destination IP Skype’s packet

public source and destination IPThe RC4 key is calculated with elements from the datagram Skype’s packet ID Skype’s obfuscation layer’s

Skype’s packet IDelements from the datagram public source and destination IP Skype’s obfuscation layer’s IV Source IP Destination

Skype’s obfuscation layer’s IVpublic source and destination IP Skype’s packet ID Source IP Destination IP ID \x00\x00 IV CRC32

Source IP Destination IP ID \x00\x00 IV CRC32 seed seed to RC4 key engine RC4
Source IP
Destination IP
ID
\x00\x00
IV
CRC32
seed
seed to RC4 key engine
RC4 key
(80 bytes)
IV CRC32 seed seed to RC4 key engine RC4 key (80 bytes) Philippe BIONDI, Fabrice DESCLAUX

Skype protections Skype seen from the network Advanced/diverted Skype functions

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Skype Network Obfuscation Layer

The public IP

Problem 1: how does Skype know the public IP ?

The public IP Problem 1: how does Skype know the public IP ? 1 At the

1 At the begining, it uses 0.0.0.0

2 Its peer won’t be able to decrypt the message (bad CRC)

3 =The peer sends a NAck with the public IP

4 Skype updates what it knows about its public IP accordingly

Skype updates what it knows about its public IP accordingly UDP sport dport len chksum Skype
UDP
UDP

sport

dport

len

chksum

Skype SoF
Skype SoF

id

func

Skype NAck
Skype NAck

src

dst

24 16 08 03 00 13 08 54 7f 4e 77 52 7c 48 33
24 16
08 03
00 13
08 54
7f 4e
77
52 7c 48 33
83
9238
b0 86 56
2051
19
0x854
0x7f4e
0x77
82.124.72.51
131.176.134.86
2051 19 0x854 0x7f4e 0x77 82.124.72.51 131.176.134.86 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Skype Network Obfuscation Layer

The seed to RC4 key engine

Problem 2: What is the seed to RC4 key engine ?

Problem 2: What is the seed to RC4 key engine ?
 
It is not an improvement of the flux capacitor

It is not an improvement of the flux capacitor

It is a big fat obfuscated function It was designed to be the keystone of the network obfuscation RC4 key is 80 bytes, but there are at most 2 32 different keys It can be seen as an oracle We did not want to spend time on it =we parasitized it

most 2 3 2 different keys It can be seen as an oracle We did not
most 2 3 2 different keys It can be seen as an oracle We did not
most 2 3 2 different keys It can be seen as an oracle We did not
most 2 3 2 different keys It can be seen as an oracle We did not
most 2 3 2 different keys It can be seen as an oracle We did not
We did not want to spend time on it = ⇒ we parasitized it   Note:
We did not want to spend time on it = ⇒ we parasitized it   Note:
 

Note:

  Note:

RC4 is used for obfuscation not for privacy

RC4 is used for obfuscation not for privacy
We did not want to spend time on it = ⇒ we parasitized it   Note:
  Note: RC4 is used for obfuscation not for privacy Philippe BIONDI, Fabrice DESCLAUX Silver Needle

Skype protections Skype seen from the network Advanced/diverted Skype functions

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Skype Network Obfuscation Layer

The seed to RC4 key engine

Parasitizing the seed to RC4 key engine

to RC4 key engine Parasitizing the seed to RC4 key engine We injected a shellcode that

We injected a shellcode that

1

2

3

read requests on a UNIX socket

fed the requets to the oracle function

wrote the answers to the UNIX socket

the oracle function wrote the answers to the UNIX socket Philippe BIONDI, Fabrice DESCLAUX Silver Needle
the oracle function wrote the answers to the UNIX socket Philippe BIONDI, Fabrice DESCLAUX Silver Needle
the oracle function wrote the answers to the UNIX socket Philippe BIONDI, Fabrice DESCLAUX Silver Needle

Skype protections Skype seen from the network Advanced/diverted Skype functions

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Skype Network Obfuscation Layer

The seed to RC4 key engine

v o i d main ( v o i d )

 

{

 

u n si g n e d c h a r key [ 8 0 ] ;

 

v o i d ( o r a c l e ) ( u n si g n e d c h a r key , i n t s e ed ) ;

 

i

n t

s ,

f l e n ; u n si g n e d

i n t

i

, j

,

k ;

s

t r u c

t s o c k a d d r u n sa , from ;

c h a r path [ ] = " / tmp / oracle " ;

o

r a c l e = ( v o i d ( ) ( ) ) 0 x0724c1e ;

 

s

a . s u n f a m i l y

=

AF UNIX ;

f

o r

(

s =

0 ;

s

<

s i z e o f ( path ) ;

 

s ++)

 
 

s a . s u n p a t h [ s ] = path [

s

]

;

 

s

= s o c k e t ( PF UNIX , SOCK DGRAM , 0 ) ;

 

u n l i n k ( path

)

;

bi

n d (

s , ( s t r u c t s oc k a d d r )& sa

,

s i z e o f ( s a ) ) ;

 

w

h i l e

( 1 )

{

 

f

l e n = s i z e o f ( from

)

;

r

4 ,

0 ,

( s t r u

c

t s oc k a d d r )& from

 

& f l e n ) ;

ec v f r om ( s , & i , f o r ( j =0; j <0 x14

; j ++)

,

 

( u n si g n e d i n

t ) ( key +4j ) = i ;

 
 

o

r a c l e ( key , i ) ;

 

s

e n d t o (

s , key ,

8 0

, 0 , ( s t r u c t s oc k a d d r )& from

,

f l e n ) ;

 

}

u

n l i n k ( path ) ; c l o s e ( s ) ; e x i t ( 5 ) ;

 

}

) ; c l o s e ( s ) ; e x i t (

Skype protections Skype seen from the network Advanced/diverted Skype functions

Use of the shellcode

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

$ shellforge.py -R oracle_shcode.c | tee oracle.bin | hexdu mp -C

00000000

55 89 e5 57 56 53 81 ec

cc 01 00 00 e8 00 00 00

|U

WVS

|

00000010

00 5b 81 c3 ef ff ff ff

8b 93 e5 01 00 00 8b 8b

|.[

|

[

]

000001d0

fe ff ff 53 bb 0b 00 00

00 cd 80 5b e9 27 ff ff

|

S

.[.’

|

000001e0

ff 2f 74 6d 70 2f 6f 72

61 63 6c 65 00

|./tmp/oracle.|

$ siringe -f oracle.bin -p ‘pidof skype‘

$ ls -lF /tmp/oracle

srwxr-xr-x 1 pbi pbi 0 2006-01-16 13:37 /tmp/oracle=

srwxr-xr-x 1 pbi pbi 0 2006-01-16 13:37 /tmp/oracle= Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Skype on TCP

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

The seed is sent in the first 4 bytes of the streamlevel data transport Thought it was over? How to speak Skype The RC4 stream is used

The RC4 stream is used to decrypt the 10 following bytes that should be 00 01 00 00 00 01 00 00 00 01/03 00 01 00 00 00 01 00 00 00 01/03

the RC4 stream is reinitialised and used again for the remaining of the stream 0c
the RC4 stream is reinitialised and used again for the
remaining of the stream
0c 7c
49
7c
8b 26 fe 00
67 8b 91 c3
80
18
0b 68
TCP
51
14
00
00
01
01 08 0a 4c d8 77 45 00 00 00 00
sport
3196
dport
18812
33
fb af 76
28
ab b1 93 0a ff 6c df 55 b1
seq
2334588416L
ack
1737200067L
dataofs
8L
reserved
0L
flags
PA
window
2920
chksum
0x5114
urgptr
0
options
[(’NOP’, None), (’[ ]
Skype init TCP packet
seed
0x33FBAF76L
init str
’(\xab\ xb1\x93 \n\x[ ]
seed 0x33FBAF76L init str ’(\xab\ xb1\x93 \n\x[ ] Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Outline

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

1 2
1
2
data transport Thought it was over? How to speak Skype 1 2 3 4 5 Context
3
3
transport Thought it was over? How to speak Skype 1 2 3 4 5 Context of
transport Thought it was over? How to speak Skype 1 2 3 4 5 Context of
4
4
transport Thought it was over? How to speak Skype 1 2 3 4 5 Context of
5
5

Context of the study

Skype protections Binary packing

Code integrity checks Anti debugging technics Code obfuscation

Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands

Conclusion

phase Playing with Skype Traffic Nice commands Conclusion Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Low level datagrams : the big picture

Almost everything is cipheredHow to speak Skype Low level datagrams : the big picture Data can be fragmented Each

Data can be fragmenteddatagrams : the big picture Almost everything is ciphered Each command comes with its parameters in

Each command comes with its parameters in an object listpicture Almost everything is ciphered Data can be fragmented The object list can be compressed Enc

The object list can be compressedEach command comes with its parameters in an object list Enc Cmd Encod Object list SoF

Enc Cmd Encod Object list SoF Frag Compressed list Ack Forward Forwarded message NAck
Enc
Cmd
Encod
Object list
SoF
Frag
Compressed
list
Ack
Forward
Forwarded
message
NAck
Compressed list Ack Forward Forwarded message NAck Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

Object lists

An object can be a number, a string, an IP:port, or even another object listthe network Advanced/diverted Skype functions Object lists Each object has an ID Skype knows which object

Each object has an IDa number, a string, an IP:port, or even another object list Skype knows which object corresponds

Skype knows which object corresponds to which command’s parameter from its IDIP:port, or even another object list Each object has an ID Skype network obfuscation Low level

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Object List List size Number IP:port List of numbers String RSA key
Object List
List size
Number
IP:port
List of numbers
String
RSA key
size Number IP:port List of numbers String RSA key Philippe BIONDI, Fabrice DESCLAUX Silver Needle in

Skype protections Skype seen from the network Advanced/diverted Skype functions

Outline

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

1 2
1
2
transport Thought it was over? How to speak Skype 1 2 3 4 5 Context of
3
3
transport Thought it was over? How to speak Skype 1 2 3 4 5 Context of
transport Thought it was over? How to speak Skype 1 2 3 4 5 Context of
4
4
transport Thought it was over? How to speak Skype 1 2 3 4 5 Context of
5
5

Context of the study

Skype protections Binary packing

Code integrity checks Anti debugging technics Code obfuscation

Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands

Conclusion

phase Playing with Skype Traffic Nice commands Conclusion Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

For P in packets: zip P

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Packet compression

Packet compression
 

Each packet can be compressed   

 

The algorithm used: arithmetic compression Zip would have been too easy © ©

 
 
 

Principle

Zip would have been too easy ©   Principle Close to Huffman algorithm Reals are used
Close to Huffman algorithm Reals are used instead of bits

Close to Huffman algorithm Reals are used instead of bits

Close to Huffman algorithm Reals are used instead of bits Philippe BIONDI, Fabrice DESCLAUX Silver Needle
Close to Huffman algorithm Reals are used instead of bits Philippe BIONDI, Fabrice DESCLAUX Silver Needle
Close to Huffman algorithm Reals are used instead of bits Philippe BIONDI, Fabrice DESCLAUX Silver Needle

Skype protections Skype seen from the network Advanced/diverted Skype functions

Arithmetic compression

Example

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

[0, 1] is splited in subintervals for each symbol according to their frequency , 1] is splited in subintervals for each symbol according to their frequency

We encode ACAB . First symbol is A . We subdivise its interval ACAB . First symbol is A. We subdivise its interval

Then comes C C

Then A again A again

Then B B

Each real enclosed into this small interval can encode ACAB ACAB

0.5 0.625 1 0 A B C
0.5
0.625
1
0 A
B
C
small interval can encode ACAB 0.5 0.625 1 0 A B C Philippe BIONDI, Fabrice DESCLAUX

Skype protections Skype seen from the network Advanced/diverted Skype functions

Arithmetic compression

Example

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

[0, 1] is splited in subintervals for each symbol according to their frequency , 1] is splited in subintervals for each symbol according to their frequency

We encode ACAB . First symbol is A . We subdivise its interval ACAB . First symbol is A. We subdivise its interval

Then comes C C

Then A again A again

Then B B

Each real enclosed into this small interval can encode ACAB ACAB

0.5 0.625 1 0 A B C
0.5
0.625
1
0 A
B
C
small interval can encode ACAB 0.5 0.625 1 0 A B C Philippe BIONDI, Fabrice DESCLAUX

Skype protections Skype seen from the network Advanced/diverted Skype functions

Arithmetic compression

Example

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

[0, 1] is splited in subintervals for each symbol according to their frequency , 1] is splited in subintervals for each symbol according to their frequency

We encode ACAB . First symbol is A . We subdivise its interval ACAB . First symbol is A. We subdivise its interval

Then comes C C

Then A again A again

Then B B

Each real enclosed into this small interval can encode ACAB ACAB

0

A

0.5

B

0.625

C

1

 

A

   
A 0.5 B 0.625 C 1   A     Philippe BIONDI, Fabrice DESCLAUX Silver Needle
A 0.5 B 0.625 C 1   A     Philippe BIONDI, Fabrice DESCLAUX Silver Needle

Skype protections Skype seen from the network Advanced/diverted Skype functions

Arithmetic compression

Example

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

[0, 1] is splited in subintervals for each symbol according to their frequency , 1] is splited in subintervals for each symbol according to their frequency

We encode ACAB . First symbol is A . We subdivise its interval ACAB . First symbol is A. We subdivise its interval

Then comes C C

Then A again A again

Then B B

Each real enclosed into this small interval can encode ACAB ACAB

0 A

0.5

B

0.625

C

1

A

C

small interval can encode ACAB 0 A 0.5 B 0.625 C 1 A C Philippe BIONDI,
small interval can encode ACAB 0 A 0.5 B 0.625 C 1 A C Philippe BIONDI,

Skype protections Skype seen from the network Advanced/diverted Skype functions

Arithmetic compression

Example

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

[0, 1] is splited in subintervals for each symbol according to their frequency , 1] is splited in subintervals for each symbol according to their frequency

We encode ACAB . First symbol is A . We subdivise its interval ACAB . First symbol is A. We subdivise its interval

Then comes C C

Then A again A again

Then B B

Each real enclosed into this small interval can encode ACAB ACAB

0 0.5 0.625 1 A B C A C A
0
0.5
0.625
1
A
B
C
A
C
A
interval can encode ACAB 0 0.5 0.625 1 A B C A C A Philippe BIONDI,

Skype protections Skype seen from the network Advanced/diverted Skype functions

Arithmetic compression

Example

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

[0, 1] is splited in subintervals for each symbol according to their frequency , 1] is splited in subintervals for each symbol according to their frequency

We encode ACAB . First symbol is A . We subdivise its interval ACAB . First symbol is A. We subdivise its interval

Then comes C C

Then A again A again

Then B B

Each real enclosed into this small interval can encode ACAB ACAB

0 0.5 0.625 1 A B C A C A
0
0.5
0.625
1
A
B
C
A
C
A
interval can encode ACAB 0 0.5 0.625 1 A B C A C A Philippe BIONDI,

Skype protections Skype seen from the network Advanced/diverted Skype functions

Arithmetic compression

Example

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

[0, 1] is splited in subintervals for each symbol according to their frequency , 1] is splited in subintervals for each symbol according to their frequency

We encode ACAB . First symbol is A . We subdivise its interval ACAB . First symbol is A. We subdivise its interval

Then comes C C

Then A again A again

Then B B

Each real enclosed into this small interval can encode ACAB ACAB

0 0.5 0.625 1 A B C A C A Reals here encode ACAB
0
0.5
0.625
1
A
B
C
A
C
A
Reals here encode ACAB

Skype protections Skype seen from the network Advanced/diverted Skype functions

Outline

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

1 2
1
2
data transport Thought it was over? How to speak Skype 1 2 3 4 5 Context
3
3
transport Thought it was over? How to speak Skype 1 2 3 4 5 Context of
transport Thought it was over? How to speak Skype 1 2 3 4 5 Context of
4
4
transport Thought it was over? How to speak Skype 1 2 3 4 5 Context of
5
5

Context of the study

Skype protections Binary packing

Code integrity checks Anti debugging technics Code obfuscation

Skype seen from the network Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Advanced/diverted Skype functions Analysis of the login phase Playing with Skype Traffic Nice commands

Conclusion

phase Playing with Skype Traffic Nice commands Conclusion Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the

Skype protections Skype seen from the network Advanced/diverted Skype functions

How to speak Skype

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Skypy, the Scapy add-on

it was over? How to speak Skype Skypy, the Scapy add-on We developed an add-on to

We developed an add-on to Scapy from the “binary specifications”It uses the Oracle Revelator shellcode and a TCP ←→ UNIX relay to de-obfuscate datagrams

It uses the Oracle Revelator shellcode and a TCP ←→ UNIX relay to de-obfuscate datagrams Oracle Revelator shellcode and a TCP←→UNIX relay to de-obfuscate datagrams

It can reassemble and decode obfuscated TCP streamsRevelator shellcode and a TCP ←→ UNIX relay to de-obfuscate datagrams It can assemble Skype packets

It can assemble Skype packets and speak Skype

TCP streams It can assemble Skype packets and speak Skype Philippe BIONDI, Fabrice DESCLAUX Silver Needle
TCP streams It can assemble Skype packets and speak Skype Philippe BIONDI, Fabrice DESCLAUX Silver Needle
TCP streams It can assemble Skype packets and speak Skype Philippe BIONDI, Fabrice DESCLAUX Silver Needle

Skype protections Skype seen from the network Advanced/diverted Skype functions

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Example: a Skype startup

>>> a=rdpcap("

>>> a[:20].nsummary() 172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id= 0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r

/cap/skype

up.cap")

172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0 x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0 x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re

SoF id=0 x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 218.80.92.25:33711 /
SoF id=0 x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 218.80.92.25:33711 /

172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x 7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req

172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f 4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid

130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0 x7f48 func=0x77 / Skype NAck 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0 x7f48 func=0x63 / Skype Resend

85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0 x7f4a func=0x7 / Skype NAck

172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0 x7f4a func=0x13 / Skype Resend

130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0 xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re

172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0 x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re

85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0 x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re

172.16.72.131:3196 > 85.89.168.113:18812 S 172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0 x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re

24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f 4e func=0x77 / Skype NAck

172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f 4e func=0x23 / Skype Resend

/ Skype SoF id=0x7f 4e func=0x23 / Skype Resend Philippe BIONDI, Fabrice DESCLAUX Silver Needle in

Skype protections Skype seen from the network Advanced/diverted Skype functions

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Example: a Skype startup

>>> a=rdpcap("

>>> a[:20].nsummary() 172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id= 0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r

/cap/skype

up.cap")

172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0 x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0 x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re

SoF id=0 x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 218.80.92.25:33711 /
SoF id=0 x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 218.80.92.25:33711 /

172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x 7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req

172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f 4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid

130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0 x7f48 func=0x77 / Skype NAck 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0 x7f48 func=0x63 / Skype Resend

85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0 x7f4a func=0x7 / Skype NAck

172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0 x7f4a func=0x13 / Skype Resend

130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0 xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re

172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0 x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re

85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0 x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re

172.16.72.131:3196 > 85.89.168.113:18812 S 172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0 x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re

24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f 4e func=0x77 / Skype NAck

172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f 4e func=0x23 / Skype Resend

/ Skype SoF id=0x7f 4e func=0x23 / Skype Resend Philippe BIONDI, Fabrice DESCLAUX Silver Needle in

Skype protections Skype seen from the network Advanced/diverted Skype functions

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Example: a Skype startup

>>> a=rdpcap("

>>> a[:20].nsummary() 172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id= 0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r

/cap/skype

up.cap")

172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0 x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re

SoF id=0 x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 218.80.92.25:33711 /
SoF id=0 x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 218.80.92.25:33711 /

172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x 7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req

172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f 4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid

130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0x7f48 func=0x77 / Skype NAck 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0 x7f48 func=0x63 / Skype Resend

85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0 x7f4a func=0x7 / Skype NAck

172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0 x7f4a func=0x13 / Skype Resend

130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0 xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re

172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0 x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re

85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0 x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re

172.16.72.131:3196 > 85.89.168.113:18812 S 172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0 x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re

24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f 4e func=0x77 / Skype NAck

172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f 4e func=0x23 / Skype Resend

/ Skype SoF id=0x7f 4e func=0x23 / Skype Resend Philippe BIONDI, Fabrice DESCLAUX Silver Needle in

Skype protections Skype seen from the network Advanced/diverted Skype functions

Skype network obfuscation Low level data transport Thought it was over? How to speak Skype

Example: a Skype startup

>>> a=rdpcap("

>>> a[:20].nsummary() 172.16.72.131:2051 > 212.70.204.209:23410 / Skype SoF id= 0x7f46 func=0x2 / Skype Enc / Skype Cmd cmd=27L r

/cap/skype

up.cap")

172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0 x7f48 func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0 x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re

SoF id=0 x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 218.80.92.25:33711 /
SoF id=0 x7f4a func=0x2 / Skype Enc / Skype Cmd cmd=27L re 172.16.72.131:2051 > 218.80.92.25:33711 /

172.16.72.131:2051 > 218.80.92.25:33711 / Skype SoF id=0x 7f4c func=0x2 / Skype Enc / Skype Cmd cmd=27L req

172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f 4e func=0x2 / Skype Enc / Skype Cmd cmd=27L reqid

130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0 x7f48 func=0x77 / Skype NAck 172.16.72.131:2051 > 130.161.44.117:9238 / Skype SoF id=0 x7f48 func=0x63 / Skype Resend

85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0 x7f4a func=0x7 / Skype NAck

172.16.72.131:2051 > 85.89.168.113:18812 / Skype SoF id=0 x7f4a func=0x13 / Skype Resend

130.161.44.117:9238 > 172.16.72.131:2051 / Skype SoF id=0 xbedf func=0x2 / Skype Enc / Skype Cmd cmd=29L re

172.16.72.131:2051 > 141.213.193.57:3655 / Skype SoF id=0 x7f50 func=0x2 / Skype Enc / Skype Cmd cmd=27L re

85.89.168.113:18812 > 172.16.72.131:2051 / Skype SoF id=0 x7d64 func=0x2 / Skype Enc / Skype Cmd cmd=28L re

172.16.72.131:3196 > 85.89.168.113:18812 S 172.16.72.131:2051 > 24.22.242.173:37533 / Skype SoF id=0 x7f52 func=0x2 / Skype Enc / Skype Cmd cmd=27L re

24.98.66.80:8275 > 172.16.72.131:2051 / Skype SoF id=0x7f 4e func=0x77 / Skype NAck

172.16.72.131:2051 > 24.98.66.80:8275 / Skype SoF id=0x7f 4e func=0x23 / Skype Resend

/ Skype SoF id=0x7f 4e func=0x23 / Skype Resend Philippe BIONDI, Fabrice DESCLAUX Silver Needle in