Trojan.Peskyspy—Listening in on your Conversations

In the last few years, voice over IP (VoIP) has gained a significant foothold in the realm of voice communication. In some arenas the technology has supplanted traditional telecommunication devices, becoming a technology many of us can no longer imagine going without.

As is often the case, when something gains a foothold in software and networking technology, it becomes a target of malicious code writers. This week we’ve seen the release of a Trojan horse called Trojan.Peskyspy that records VoIP communications, specifically targeting Skype—one of the today’s most popular VoIP applications. What we’re looking at is something that could be considered the first “wiretap Trojan”.

Now before going into the details of this threat, we’d like to point out that its existence isn’t due to any problems with Skype itself. In this case, Skype has simply become a victim of its own popularity, most likely being targeted simply because it has such a large install base. This threat could just have easily been crafted to take advantage of any one of the myriad of other VoIP applications, and it’s likely we’ll see other threats in the future that do just that.

What this threat is doing is actually grabbing the sound coming from the audio devices plugged into the computer. It does this by hooking various Windows API calls that are used in audio input and output. It then is able to intercept all audio data traveling between the Skype process and the underlying audio device. The extracted audio data is then saved to .mp3 files and stored on the computer.

Because the Trojan listens in the data traveling between the Skype process and the audio device, it gathers the audio independently of any application-specific protocols or encryption applied by Skype when it passes voice data at the network level. Essentially, it sits below these security measures, recording the audio at the Windows level—before outbound audio from the microphone gets to Skype and after incoming audio leaves Skype and reaches the speakers.

Finally, the Trojan contains a back door, which enables an attacker to have the stolen audio conversations sent to a predetermined location, where they can later be listened to.

In terms of impact, we don’t see this threat gaining much of a foothold out in the wild. What we’ve seen is largely proof-of-concept and does not contain any method to spread from one computer to another. However, it is possible that we will see variations on this Trojan theme in the future. With this in mind we recommend keeping your virus definition and IPS signatures up-to-date.

Special thanks to Karthik Selvaraj for his analysis of this threat.