SMB - Attackers get chatty on VOIP

Worm viruses increase on VOIP systems

The recent spate of malware attacks propagating throughout the user base of the Skype Internet calling system illustrates a broader trend toward cyber-criminals moving to take advantage of VOIP platforms as they become increasingly popular.

Security researchers tracking the latest pack of worm viruses to wriggle their way through the Skype community's chat system said that the threats are nearly identical to attacks that have plagued users of other publicly-available messaging applications for years.

However, as Skype and other VOIP systems become even more widespread and greater numbers of businesses move to adopt the technologies, experts predict that cyber-criminals will ratchet-up the severity and diversity of the attacks they aim at users of the software.

In mid-May, London-based Skype -- which is owned by eBay -- launched a series of trials of new enterprise features that it hopes will encourage larger numbers of businesses to consider use of its publicly-available VOIP applications.

The potential to use such programs to infiltrate business networks and carry out attacks will drive malware code writers and other schemers to similarly increase their focus on VOIP platforms, researchers said.

On May 24, Chris Boyd, a researcher at FaceTime Communications -- which established a partnership to provide security applications to Skype in Feb. 2007 -- noticed a new variant of the so-called Skype worm that has been spreading through the VOIP client's messaging system for the last several months.

Unlike previous versions of the threat that merely passed themselves along to other Skype users via their contact lists, the new variant will also "jump" to other more established networks, including the ICQ and MSN messenger platforms.

The development illustrates not only that attacks aimed at users of VOIP networks are escalating and becoming more sophisticated, but also that they are being pulled into use by the smartest and most aggressive cyber-criminals looking for new revenue streams, Boyd said.

"There are a lot of businesses picking up Skype in the workplace, and it's a good bet that if they have Skype on there, they have other IM clients. The attackers are really trying to hit as many people as possible in a random manner, but this is the first instance we've seen of an attempt to get a foot in the door of other networks using Skype," Boyd said.

While the attack merely passes itself along to contacts listed in the messaging accounts of affected users, versus dropping malware onto their computers, it does attempt to lure people into clicking on links that point to a range of virus-infecting Web sites.

Boyd said that several of the involved URLs have been used in previous attacks on Skype users, including a handful of sites registered through Chinese hosting companies.

The researcher believes that the endgame of the hackers behind the threat is to steal valuable data from infected users and pass it back to themselves over Skype's encrypted messaging system. Boyd said that there is also growing evidence of attackers building proof-of-concept botnet threats aimed specifically at Skype users.

"Things can potentially get passed out of an organization using Skype because the messaging communications are encrypted and hard to fiddle with. That could be one of the angles," Boyd said. "It's just interesting that the attacks we saw for several months have been so consistent, and now there's this significant change in targeting different networks. I think we'll see more editions in the coming weeks and a substantial attack on Skype users at some point."

Page Break

In late March 2007, researchers at F-Secure first unearthed a Skype worm variant that attempted to trick users into visiting a Web site that downloaded a malware program which was designed to communicate to hackers over a Yahoo mail server to confirm its infection and load additional programs onto affected PCs.

Variants of the attack, which subsequently tried to infect users with keystroke logging software and other data-thieving programs, have continued to appear since that time.

Tony Magellanez, a systems engineer at Helsinki, Finland-based F-Secure, said that such a move by hackers to port their IM-based threats to VOIP software should come as no surprise.

"Chat has obviously been around forever, and the ability to share information via these tools has opened it up to the types of attacks we're seeing," Magellanez said. "The attacks aren't being made against any vulnerability in the software but instead against the social aspects of its use that make it an attractive target."

The researcher said, in fact, that the Skype application in particular has exhibited a small number of vulnerabilities and proven fairly resistant to malware threats, a performance he attributes to significant work on the part of the company to engineer the system with security in mind.

Other researchers echoed that sentiment but pointed out that most large businesses will still likely adopt VOIP tools designed specifically for the enterprise and avoid publicly-available programs like Skype out of fear for potential attacks.

"At this point, we're really just talking about VOIP as a transport vector for attacks as is the case with the Skype worm attacks, which is predictable when you consider other IM-based threats," said Chris Hoff, chief technology officer at Crossbeam Systems. "Like anything else, when VOIP becomes a more legitimate pathway for attackers to go after monetary systems, they will come after it, but it also seems like businesses are taking a more pragmatic approach to adopting VOIP when it comes to security."

For instance, Hoff said most companies are running their VOIP systems on standalone networks to make it harder for hackers to access the programs and protect availability of their calling capabilities. Such planning should make a big difference as more dangerous VOIP threats are created, he said.

Tom Cross, a researcher with the X-Force team at IBM's ISS division, agreed that Skype is in some sense becoming a victim of its own success with the recent emergence of more worms. In addition to a rapidly increasing number of users, the researcher also attributed greater e-mail and IM security awareness among customers as a reason for the uptick in activity.

"From a technical standpoint, these worms don't really have anything to do with VOIP, it's being targeted just as any other popular communications tool will be," Cross said. "Hackers are also moving to different technologies to perform their attacks because we've gotten better at detecting them on other platforms; spam and e-mail don't work as well for the attackers anymore, so VOIP offers a new opportunity where end-users may not be expecting this type of threat, yet."