Skype Security Blog

Cross-Site Request Forgery (CSRF) Vulnerability

2009-04-14T19:08:35Z

A browser-level vulnerability has been revealed by Secure Science Corporation that could impact Skype users.

]]> This exploit can happen to any user who is logged into their account on Skype.com, who simultaneously visits a malicious Web site and is then affected by this attack. The malicious site can then compromise a user's account and perform a limited number of actions, such as change the user's voicemail or call forwarding settings. However, the user's account password is not compromised at any time. Nor does it impact users of the Skype client.

The simplest technique is similar to a phishing attack, only a bit more interactive:

Attacker: Hello, I apologize for the disruption, but this is a friendly reminder that Skype is having a special today. We are offering $25.00 extra credit in your SkypeOut account if you do "X." We will never ask you for your username or password over Skype Instant Messaging.
Victim: OK!

That "X" can be anything that requires the user who is logged into their Web-based Skype account to possibly view another site.

Attacker2: Hello, were you just contacted by someone promising 25.00 extra credit. This is the Skype Fraud Detection (SFD) department; we believe that your computer may be infected. We need you to go to this site to check for and eliminate the infection (X-Fake-Security-Site). As this is Skype-specific, anti-virus software cannot eliminate this threat. Note: the SFD will never request your Skype password.
Victim: OK!

In both cases, the attacker never asked for the Skype username or password.

To protect yourself from this vulnerability, we recommend that you take the following steps:

Close all browser windows before logging into your secure account (https) on Skype.com to execute any transactions or change any account settings.
Make sure to log out of your account on Skype.com when you're done buying Skype credit or a subscription and/or making other changes to your account settings.
Logging off of secure Web sites is the best practice method before clicking on any links from any source other than the secure page opened. As such, do not visit any other Web sites until you have logged out of your secure Skype.com account.

As always, do not click on links from unknown people in instant messages or links in "spam" or untrusted e-mails. Plus, it's not a good time to multi-task when you are logged into any secure Web site.

Skype is hard at work changing how these Web pages operate in order to address this vulnerability and to keep our users' safe from this type of attack.

Skype Lottery Scam Alert

2008-12-17T14:37:14Z

It appears that someone is attempting to perpetrate a form of the ‘Nigerian’ or ‘Foreign Lottery’ scam using the Skype brand, promising to pay significant prize winnings in a contest.

If you have received an email that appears to be from Skype, please do not respond and/or share any personal and private information as the result of this email.

Here's the version of the message we've seen making the rounds:

Subject: Congratulations; SKYPE AWARDS!‏ 
From: SKYPE AWARDS (info@skype.com) 
Sent: December 16, 2008 5:17:26 AM 
To: (Unknown)

SKYPE AWARDS PROMO
The Desk Of The Promotions Manager

International Promotions/Skype Award Center

124 Stockport Road, Longsight,

Manchester M60 2DB - United Kingdom.

Tel: +44 703 194 6898

Fax: +44 703 194 6898

Reference Number: 1037231LL

This is to inform you that you have won a prize money of three Hundred Thousand Pounds (GBP300,000: 00.) for the month of December, 2008 Prize promotion which was organized by SKYPE AWARDS. The Skype collects all the email addresses of the people that are active online,among the millions that subscribed to various websites. Six people are selected yearly to benefit from this promotion and you are one of the Selected Winners this year.
PAYMENT OF PRIZE AND CLAIM.

Winners shall choose from one of the payment option stated below:

A] Bank Wire Transfer

For this option, winnners must provide the below stated information:

(1) Bank Full Name:

(2) Bank Full Address (including State and Country):

(3) Bank Telephone Number:

(4) Bank Account Number:

(5) Name of Owner of Account:

(6) Swift Code:

(7) Charge of Transfer (C.O.T) - 750GBP  (Must be paid before consignment transfer of funds)

B] International Certified Cheque

For this option, winnners must provide the below stated information:
(1) Your Full Name:

(2) Your Complete Mailing Address:

(3) A Scanned Copy of your I.D clearly showing your face. (Note that this I.D will be required to claim your parcel when it arrives your apartment).

(4) Insurance Fee & Shipment charge of 500GBP  (Must be paid before consignment dispatch).

All funds must be claimed no later than 5 days from date of Draw Notification. Any prize not claimed within this period will be forfeited.

Below you will find a Processing Form, requesting your required Particulars. Please provide all requested information to help us processs your claim in good time.

SKYPE ONLINE PROCESSING FORM

REFERENCE NUMBER:

FULL NAMES:

ADDRESS:

CITY:

STATE:

ZIP:

PHONE /FAX:

COUNTRY:

SEX:

AGE:

MARITAL STATUS:

OCCUPATION:

E-MAIL ADDRESS:

NATIONALITY:
PAYMENT OPTION: [A]/[B]
Forms Should be returned to your claim agent with details below:
Agent Michael Mine

E-mail: skypeawardsprom@gmail.com

CONGRATULATIONS ONCE AGAIN

Yours in service

Patricia Elsworth

(Lottery Coordinator)

Note: Do not reply to this email because your entries will not be processed. All entries should be sent to skypeawardsprom@gmail.com

*****************************************************************************

This Notification MUST remain confidential until your funds is successfully handed over to you to avoid disqualification that may arise from double claim. You may also receive similar e-mails from people portraying our image. This is solely to collect your personal information from you and lay claim over your winning. In the event you receive any e-mail similar to this notification letter we have emailed you, kindly delete it from your mail box and make no further correspondence to such persons or body. Skype shall not be held responsible for any loss of fund arising from the above mentioned.

[RESOLVED] Phishing emails

2008-07-10T20:41:15Z

It appears some of our users have been subject to phishing emails - if you have received an email that appears to be from Skype, please DO NOT enter your username and password as the result of this email.

Also, as a consequence of this, skype.com's mail servers are currently down (we are subject to a flood of bounced emails from emails that do not exist as a result of the phishing emails) - this means our customer support is not currently contactable.

We are doing our best to resolve this situation as quickly as we can and will post updates here as soon as we have them. Please bear with us during while work on solving this.

UPDATE: We are happy to let you know that our mail servers are back up, customer support is available and the phishing sites associated with this incident are no longer active. As a reminder, we strongly encourage users to be cautious when responding to any email that requests sensitive personal information.

Skype misidentified as malware

2008-04-23T09:45:40Z

Earlier this week, security researchers at the Microsoft Malware Protection Center discovered that some Microsoft antimalware products such as Windows Live OneCare were incorrectly identifying some versions of Skype as malware. Such products may stop Skype’s operation and falsely notify the user about the following malware: Trojan:Win32/Vundo.gen!D.

The issue may have affected users of the following Microsoft antimalware products: Microsoft Forefront Client Security, Windows Live OneCare and Windows Live OneCare Safety Scanner. Microsoft has already released an update (a fixed signature file) which was pushed to users of Microsoft's antimalware products.

Once the fixed signature is deployed, Skype should be able to run normally. The fix is included in signature files version 1.31.9121.0 and higher. More information is available here.

Trojan downloader alert

2008-02-27T12:15:41Z

We've seen some instances where a chat message masquerading as a link to an image file instead leads to a piece of malware. The chat messages may look similar to this:

If you receive something like this through a Skype chat message, do not be alarmed. Instead, ignore it and block the sender. Do not click on the link or open the file that the link points to.

When executed, however, the Trojan downloader creates a Microsoft Studio Files folder in the Program Files directory, populating it with a copy of itself (lsass.exe) as well as a script file (vcdg.bat) that helps it bypass the Windows firewall. The program also changes the Windows registry to enable automatic execution upon Windows startup and to bypass the Windows firewall. Following these steps, the program downloads files into the infected system.

The Skype security team would like to remind users to keep their antivirus software updated and maintain a skeptical eye toward chat messages that don't seem quite right and contain internet links, whether they appear to come from friends or total strangers.

Skype cross-zone scripting vulnerability now fixed

2008-02-06T09:39:10Z

We recently disabled the ability to use Skype's Live tab to download clips from the Dailymotion and Metacafe video galleries. We took this step as a cautionary measure after security researchers found a vulnerability in Skype 3.5 and 3.6 for Windows that would have allowed an attacker to execute arbitrary code on a Skype user’s Windows PC without their consent.

As we said in our post on January 18, the measure would be temporary. That is, until an official fix to the vulnerability would be made available. We are pleased to report that the core vulnerability has now been addressed and a fix is included in the latest build of Skype for Windows, 3.6.0.248.

For those who have upgraded to the latest build, we have now re-enabled video downloads from both Dailymotion and Metacafe. Users of older versions of Skype for Windows will not be able to access these video galleries and will need to upgrade.

Last but not least, we'd like to encourage all users to frequently upgrade their version of Skype. This helps ensure that the Skype experience is safer and more enjoyable.

(Resolved) Skype Cross Zone Scripting Vulnerability

2008-01-18T13:01:46Z

A vulnerability that allowed an attacker to execute arbitrary code on a Skype user's Windows PC without their consent has been discovered in Skype and on Dailymotion, the video-sharing site where Skype users can download video clips and add them to their Skype moods and chats.

The vulnerability had the potential to affect users of Skype 3.5 and 3.6 for Windows who, in Skype's video gallery, navigated to a Dailymotion video with a specially crafted title.

The issue, demonstrated by security researchers as a proof of concept, was neutralized before actual attackers took advantage of it, therefore Skype users are unlikely to have been affected. Skype has temporarily disabled users' ability to add videos from the Dailymotion gallery until an official fix has been made available. In turn, Dailymotion is addressing the vulnerability on their web site.

For a more detailed description of the issue, please see the most recent Skype Security Bulletin.

Update: We've also temporarily disabled the ability to add videos from the Metacafe video gallery. Both Dailymotion and Metacafe videos will be re-enabled as soon as an official fix has been made available.

- - -

Final update on Feb. 6, 2008 - the issue has been resolved. Please see today's post for more information.

Vulnerability in Skype for Windows versions older than 3.6.x.216

2007-12-10T14:07:12Z

In early November, Zero Day Initiative informed Skype of a vulnerability that allows a remote attacker to execute arbitrary code, provided that the user visits a malicious website.

The flaw exists within the skype4com URI handler component of Skype. An exploitable memory corruption may occur during the parsing of URIs which can result in arbitrary code execution under the user rights of the current Windows account.

The issue was fixed in the public release of Skype 3.6 for Windows. All versions of Skype for Windows updated or installed as of November 15 include the patch.

At Skype, we strive to inform the public of vulnerabilities and malware that may affect Skype software. While this particular vulnerability was fixed, there was an unintentional communication oversight and we failed to bring the case to the public's attention. All we can do now is to apologize.

Meanwhile, we'd like to advise users to always upgrade to the latest version of Skype. This ensures access to the latest features, improvements and fixes, and helps get the most out of your Skype experience.

Password stealer

2007-12-06T11:39:16Z

Looks like virus writers are at it again. Some Skype users have been contacted over chat by people warning against viruses and offering to send the user a file that masquerades as Spyware Doctor, a popular anti-malware program from PC Tools. Needless to say, the file they're attempting to send (SpyWareDoctorSetup.exe) is not the real thing. Instead, it's a piece of malware, affecting Windows users. Do not accept or run this executable file.

]]>

From what we understand, this malware likely belongs to the same family with previous password stealers. The behavior is exactly the same, only this time it disguises itself as Spyware Doctor. The setup process of the genuine Spyware Doctor is completely different.

When executed, the fake version displays the "Welcome" screen and promptly shuts down Skype. When the unsuspecting user presses the "Next" button, the program briefly displays a fake installation screen (in reality, no installation takes place) and then immediately displays the "Skype login" screen.

When the user enters his username and password, an error message is displayed -- regardless of whether the password was correct or not. In the background, however, the entered login details are sent to a malicious web server. In addition, the program reads Internet Explorer's saved forms and passwords stored in Windows protected storage and sends them along as well. It does not read stored information in any other web browser.

Clicking on the "Close X" button or the standard close window button in the upper right corner of window does not close the program. You can only terminate the program from the Windows Task Manager.

The malware is a password stealer and does not interact with Skype in any way. It does not leave a resident in memory, modify any Windows DLLs, inject threads into existing services, or try to survive reboot (there is no modification of the Registry or existing registered services). And the program does not attempt to distribute itself in any way. In fact, it seems to be spread by real people using Skype chat, as there is no evidence that the process is automated.

So, if you've unwittingly fallen victim to this password stealer, here's how to disinfect your machine manually:

- Double click on the Windows taskbar to open Task Manager
- Select the Processes tab
- Find SpyWareDoctorSetup.exe from the list
- Click on End Process button

Delete SpyWareDoctorSetup.exe from the file system (use Search For Files and Folders to find the location in case you don't remember where you saved it).

Fake malware alert

2007-11-30T11:08:08Z

Some users have received the following message through Skype chat:

- - - - -

ATTENTION ! Security Center has detected malware on your computer !

Affected Software:

Microsoft Windows NT Workstation

Microsoft Windows NT Server 4.0

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Win98

Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns

Recommendation: Users running vulnerable version should install a repair
utility immediately

Your system IS affected, download the patch from the address below !
Failure to do so may result in severe computer malfunction.

www.alertscan.net/?q=update
- - - - -

If you receive something like this through a Skype chat message, do not be alarmed. Instead, ignore it and block the sender. This is chat spam aimed at scaring users into purchasing an alleged antivirus product.

The purported remote virus scan performed by the site behind the URL is also a fake: it is a harmless movie, not a real scan. The "results" of this fake scan are also false.

That said, if you receive a chat message from an unknown user and/or an internet link that you're not sure of, please err on the side of caution and do not click on such links.

Skype for Mac on Leopard

2007-11-07T13:38:59Z

Update on Nov 29: The issue is now resolved. For more details, please read my post on the Skype Mac blog.

- - - - -

Like a lot of people in the Mac community, we're excited that Mac OS X Leopard is now out in the wild. As you may have read, Skype runs into trouble when Leopard's firewall is activated. At the moment, this affects a minority of Skype users.

However, we wanted to let you know that we're embracing Apple's new security efforts. By doing so, we're continuing to ensure that Skype for Mac is the most secure internet-calling platform a Mac user can get. Our engineers are tweaking Skype for Mac and as soon as safely possible, the issue will be resolved. In a few weeks, the fix will be included in an updated version of Skype that has a loving relationship with the Leopard firewall.

Updated: Malware alert

2007-11-05T11:30:18Z

It has come to our attention that some Skype for Windows users have been affected by a piece of malware that masquerades as a chat message aimed at finding a lost girl.

Please do not follow any internet links you may receive in chat messages that resemble the following: "Please help me to find this Girl".

Clicking on the link will lead you to download a worm that is currently best described here.

Currently, this piece of malware -- a new strain of the Stration/Warezov worm -- can be detected by the following antivirus software: AntiVir, ArcaVir, AVG Antivirus, BitDefender, F-Secure, Kaspersky, McAfee, Microsoft, Norman Virus Control, Panda Antivirus, Sophos Antivirus, TrendMicro, VBA32.

Skype Defender malware alert

2007-10-16T10:31:30Z

Some Windows users have been affected by a malware program that imitates Skype software and attempts to steal sensitive information. 65404-SkypeDefenderSetup.exe is classified as an Infostealer, that is, a Trojan horse program that attempts to steal sensitive information such as login credentials.

]]>

When executed it displays a confirmation window with the following text, "Skype-Defender(TM) Installed! Please login to your account to apply new plugins".

When the user clicks the OK button, the malware displays what looks like a Skype login screen, but which has a different-looking sign-in button.

When the user enters the Skype username and password, the malware displays a message saying that the name and password were unrecognized.

The malware collects the entered Skype username and password, as well as all usernames and passwords saved in Internet Explorer, and sends them over to a website that collects this stolen data.

To remove the malware, please update your anti-virus software. At this time, we have notified F-Secure, TrendMicro, Symantec, WebSense, and FaceTime Security Labs. For manual removal it is enough to delete the 65404-SkypeDefenderSetup.exe file.

Skype Extras plug-in manager

2007-02-08T15:56:56Z

(Updated Feb 9 with some more context.)

One of the new features in Skype for Windows is the Extras Gallery. (Extras are third-party plug-ins that let users expand Skype functionality. See extras.skype.com for what's available.) The Gallery is managed by a plug-in manager software framework developed by EasyBits Software and used under license.

The EasyBits software includes a form of digital rights management functionality intended to protect commercial software, such as plug-ins, from illegal redistribution or unlicensed use. Simply put, the EasyBits DRM framework helps us ensure compliance with software usage and distribution.

To enforce these license agreements, the EasyBits framework attempts to uniquely identify what physical computer it’s running on. One way to do this identification is to simply read the serial number of the motherboard, which is often available through a public query to the BIOS.

It is quite normal to look at indicators that uniquely identify the platform and there is nothing secret about reading hardware parameters from the BIOS. The function calls to do this are public and are available to any software running on your computer. Of course, in line with our Privacy Agreement, Skype does not retrieve any of this data. It is only used by the EasyBits software to ensure that plug-in use complies with the appropriate license token or key.

Since we learned that EasyBits DRM did not perform well on some newer platforms, we updated the version of their framework with one that no longer attempts to read from the BIOS. The current download of Skype for Windows, version 3.0.0.216, includes this updated framework.

Deploying Skype in a Windows domain

2007-01-03T14:09:54Z

One of our goals for 2006 was to make it easier for companies to deploy and manage Skype for Windows in a managed environment. I'm happy to say that by the end of 2006, we'd rolled out a native Microsoft Installer (msi) format installer for Skype (you can download it from the Skype for Business website). This should make it far easier to deploy Skype in a Windows domain than using the native Skype installer.

]]> Over the year-end holidays, when I wasn't working through my light technical reading or adding items in my personal blog, I started thinking about what more we could do to make it easier to administer or manage Skype in an enterprise setting.

Currently, on the Windows platform, we offer management of a number of features via registry keys -- which can be locked using ACLs and deployed via Group Policy Objects using Active Directory. A description of the purpose of each of the registry keys is described in the Guide for Network Administrators, available from Skype's security web pages.

However, there remains much work to be done. Some of the key questions I have for the future are:

* What's the best way to manage non-Windows devices (Macs and Linux) in a way that can be federated or managed in an enforceable way?
* Should we support some kind of policy broadcast mechanism, to require and/or suggest that itinerant users on networks to follow certain policies, such as the use of a specific outbound proxy?

There is a lot of work ahead for us -- not just in the policy area but in security as a whole. Policy management is just one part of the process, but it is an important part. Feel free to send your thoughts to us at security@skype.com or make reply comments to this posting.

Here's wishing everyone a safe & happy new year!