Malware Security Bloggers Network 
SBN

Skype Trojan Protection – Disable Skype API and File Transfer

by jan.monsch on December 21, 2006

This week Websense reported the first Trojan using the Skype API as part of its evil workings. The currently available information does not tell us what the Trojan uses the Skype API for. As already discussed in the blog article “Proof-of-Concept Trojan using Skype API”, such a Trojan can hide its communication in the Skype network and no currently available content inspection technique will be able to cope with such a covert channel. Although the current Trojan will provoke a warning dialog from the Skype client, telling the user that a third party program wants to access the Skype API, it is most likely that adversaries will soon learn to bypass this warning using some Windows low-level API.

Skype API warning dialog when a third party application attaches to the Skype client for the first time

As we can see from the above screenshot the user can permanently enable access for a particular third party application. This prevents the warning dialog to be shown in future. If a user has accidentally permitted access or wants to know which applications have access to the Skype API, he or she can find a link called “Manage other programs’ access to Skype” in the section Privacy of the Skype Options dialog.

Skype Options

There he or she can view or modify the permissions for each individual third party application.

Manage API Access Control

According to Bill Campbell’s article “Simple corporate security tip: disable Skype API and File Transfer there is a way to disable the Skype API using registry settings. The following registry key is officially documented in the Skype knowledgebase article 632. The policy prevents that any third party application can attach to the Skype API.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone] “DisableApi”=dword:00000001

In- and outbound file transfers can also be disabled by a registry setting. This is documented in the Skype knowledgebase article 631:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone] “DisableFileTransfer”=dword:00000001

After applying the file transfer policy, an error dialog is shown to the user when he or she wants to send a file from a protected client:

Error dialog when a user wants to send a file from a policy protected system.

When sending a file to a policy protected Skype client the file transfer immediately aborts and the following error is shown:

Error message shown when a file is sent to a policy protected Skype client

I have verified both registry settings and they both work. In a corporate environment this allows administrators to lockdown Skype. But it requires that the user does not have administrative privileges. Otherwise the Trojan can remove these entries again. Administrators must further ensure that the registry ACL does not permit users to modify these registry keys.

As a preemptive measure I suggest that companies, who do not have Skype deployed, should also deploy the above registry settings to their workstations using Windows Group Policies. This prevents the two most dangerous use cases where employees place the Skype executable onto their system without permission. It should be noted that Skype does not require any special privileges to run. Being an ordinary user is just enough.

*** This is a Security Bloggers Network syndicated blog from iplosion security authored by jan.monsch. Read the original post at: http://www.iplosion.com/archives/57

jan.monsch , ,