Imagine you’re having a discussion with your bank using Skype VoIP and a trojan is recording every word you say from your name to your social security number. Well, now there is a computer trojan horse called Trojan.Peskyspy that has the ability to do just that, record conversations via Skype VoIP (Voice over IP).

Many of us in the security research world have heard of the Skype Trojan and the vulnerabilities discovered in much older versions of Skype in the past. Now the Trojan Trojan.Peskyspy has come to the surface to target Skype, which is one of the most popular VoIP applications currently used.

Security experts have identified that Skype does not have any new vulnerability issues, but rather the Trojan.Peskyspy infection is able to listen to data traveling between the Skype processes and the audio device used for transmitting voice or sound. Basically, Trojan.Peskyspy hooks onto a Windows API (a core set of Application Programming Interfaces used by Windows applications) used for audio output and input to intercept the audio data sent between the Skype application and installed audio device. This process could be used with virtually any application but it just happens to target Skype so that attackers could use this data to listen to VoIP conversations.

We all have seen government officials or special agents in action on movies where a wiretap is put into place for the purpose of spying on someone’s conversation. Trojan.Peskyspy could be the modern day wiretap for hackers. Why attempt to beat the odds when you can use the Trojan.Peskyspy infection to record a private VoIP conversation via Skype? Even though Trojan.Peskyspy has not been found to spread from infected systems to other computers, Trojan.Peskyspy is a viable threat to anyone using most versions of Windows including Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003 and Windows Vista.

A computer user that is infected with Trojan.Peskyspy may not suspect that anything is wrong considering that this trojan only creates a small mp3 file containing the conversation recording via Skype. The mp3 file is later transmitted from the infected system to the remote attacker.

Symantec, a security vendor, has discovered that the source code for Trojan.Peskyspy is publicly available. This may give other hackers the resources to easily create a much more devastating infection that could potentially be programmed to spread from infected systems.

Trojan.Peskyspy is currently thought to be a way for attackers to prove a concept and not a reason to cause panic over a new threat running lose over the internet. eBay and Microsoft have yet to respond or comment on the Trojan.Peskyspy trojan parasite.

It is very possible that we will see more Tojans or malware use the same methods to that of Trojan.Peskyspy to “spy” on computer users. Since the source code of Trojan.Peskyspy is publicly available, do you think hackers will use it to target other applications besides Skype?

Trojan.Peskyspy Update

After further research and analysis of Trojan.Peskyspy it has been determined that the source code of Trojan.Peskyspy was initially released by a Swiss programmer by the name of Ruben Unteregger. We are also able to reveal predetermined folders that save the .mp3 files created by Trojan.Peskyspy to be located in the path of either [PREDETERMINED FOLDER NAME]\[CALLER ID]-[PACK NUMBER]-SkypeOut-[YEAR-MONTH-DAY-HOUR-MINUTE-SECOND].mp3 or [PREDETERMINED FOLDER NAME]\[CALLER ID]-[PACK NUMBER]-SkypeIn-[YEAR-MONTH-DAY-HOUR-MINUTE-SECOND].mp3. The SkypeDLLInjector.exe executable file was found to be the culprit for injecting Trojan.Peskyspy onto a system. After Trojan.Peskyspy is installed it has the capability, when sending data through the backdoor, to scan and bypass the following processes which are related to popular firewalls.

• avgfwsrv.exe
• bdagent.exe
• bdmcon.exe
• fsdfwd.exe
• kadmin.exe
• Mcdetect.exe
• McShield.exe
• mpfagent.exe
• mpfservice.exe
• outpost.exe
• webroot.exe
• zlclient.exe