OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Skype API Ap2Ap Stream Creation Flaw

From: Stephen Samuel (samnospambcgreen.com)
Date: Mon Aug 21 2006 - 15:28:46 CDT


Other than the fact that this takes advantage of skype's built-in
encryption, I don't see how this is that much different than any other
network-capable application being built with backdoors and call-home
capability.

vizig0thblitzgmail.com wrote:
> An application-to-application stream can be created between two Skype clients without having established normal communications between them and both Skype client's contact lists are empty. With this ability any Skype enabled application can create a convert communication stream to a central server. This can only occur, of course, if the user voluntarily installs the application. Therefore, the main attack vector for this functionality is to create a legitimate Skype-enabled application, have the user install the application, and once the user starts the application make a covert connection to a central server. Once the connection to the central server is made, additional software can be downloaded and installed on the target computer via the application-to-application stream.
>
> Scenario Setup:
>
> The following will be needed to recreate the scenario:
>
> 1.Two computers with Skype installed and two separate Skype Ids that have had no communication between them.
>
> 2.A copy of SkypeTracer installed on each computer.
>
> Scenario Steps:
>
. . . . .

--
Stephen Samuel +1(778)861-7641 samnospambcgreen.com
                   http://www.bcgreen.com/
   Powerful committed communication. Transformation touching
     the jewel within each person and bringing it to light.