Your current Web browser may not display this site properly.

TrendSecure performs best when opened with the latest version of either Microsoft Internet Explorer or Mozilla Firefox .

Yet Another Medium to Protect: VoIP

The security industry was recently abuzz with the discovery of a new threat that supposedly targeted users of the popular VoIP (Voice over Internet Protocol) telephone application Skype. Initially thought to be a worm, this threat is actually a Trojan spyware that logs user keystrokes in an attempt to steal critical user information (e.g., user names and passwords). While Trend Micro correctly detected it as TSPY_SKPE.A, the cause of this confusion may be attributed to the fact that this spyware's method of infection is identical to that of an IM (instant messaging) worm. Using Skype's Chat feature, the threat attempts to send a link to an affected user's available contacts. This link, in turn, points to a remote site where a copy of this spyware can be downloaded.

However, further analysis reveals that this spyware simply attempts to use Skype's APIs for its malicious activities, and that it still relies on user intervention to successfully propagate. Simply put, an affected user is notified whenever this spyware tries to use Skype. Thus, the user must first consent to this notification before the spyware can send its link.

A Familiar Pattern

Worm or spyware, TSPY_SKPE.A is yet another example of a targeted attack motivated by the lure of financial gain. It has all the right ingredients: a simple yet possibly rewarding routine for malware authors (i.e., information theft; the data it gathers is uploaded to a site for easy retrieval by remote malicious users) and a specific target (i.e., Skype users). This threat also uses a relatively rare-if not unknown-compression routine (NTKrnl Secure Suite), helping it avoid immediate detection. This is not surprising, considering that most profit-driven threats employ similar techniques to siphon as many rewards as possible.

Why the Fuss?

The amount of uproar that surrounded this spyware is somewhat surprising, especially since this is not the first Skype-related threat. (WORM_SKYPERISE.A, detected in October, 2006, holds that dubious distinction.) Perhaps one reason for the attention this threat garnered is the increasing popularity of VoIP, and the increasing viability of VoIP as a malware vector. Indeed, technology experts continue to raise and discuss VoIP security issues, and the discovery of TSPY_SKPE further validates some of these concerns.

Once only a concept, VoIP threats are slowly becoming a reality, and Trend Micro believes that more threats that exploit this medium are likely in the future. Apart from the malware that targeted Skype users, cyber criminals have initiated other attempts to exploit this technology. Vishing (VoIP phishing), for instance, has emerged. In addition, some consider VoIP spam-or SPIT (spam over Internet telephony)-to be "an as-yet-nonexistent problem"1, while others have reported it in Japan2. As the threat landscape continues to shift (especially now with the prevalence of Web-based threats), expect similar, if not more sophisticated attacks to propagate.

References

  1. "VoIP spam," Wikipedia, December 18, 2006, http://en.wikipedia.org/wiki/VoIP_spam.
  2. Bogdan Materna, "SPIT: Bringing Spam to Your Voicemail Box," VoIP for Enterprise, December 7, 2006, http://voipforenterprise.tmcnet.com/feature/service-solutions/...