Trojan.Peskyspy Records Skype VoIP Conversations


Imagine you're having a discussion with your bank using Skype VoIP and a Trojan is recording every word you say from your name to your social security number!


Well, now there's a computer Trojan horse called Trojan.Peskyspy that has the ability to do just that, record conversations via Skype VoIP (Voice over IP).

It's not the first time that Trojans have been written to target Skype users but it's definitely the first time that a Skype Trojan has the ability to record Skype calls. Security experts have identified that Skype does not have any new vulnerability issues, but rather the Trojan.Peskyspy infection is able to listen to data traveling between the Skype processes and the audio device used for transmitting voice or sound.

Swiss programmer Ruben Unteregger developed Trojan.Peskyspy and released the source code on his website megapanzer(dot)com. According to Unteregger's interview with gulli.com, he created Trojan.Peskyspy for Swiss and probably German law enforcement agencies.

So how does Trojan.Peskyspy record Skype calls?


Basically, Trojan.Peskyspy hooks onto a Windows API (a core set of Application Programming Interfaces used by Windows applications) used for audio output and input to intercept the audio data sent between the Skype application and installed audio device. This process could be used with virtually any application but it just happens to target Skype so that attackers could use this data to listen to VoIP conversations.

We all have seen government officials or special agents in action on movies where a wiretap is put into place for the purpose of spying on someone's conversation. Trojan.Peskyspy could be the modern day wiretap for hackers. Why attempt to beat the odds when you can use the Trojan.Peskyspy infection to record a private VoIP conversation via Skype? Even though Trojan.Peskyspy has not been found to spread from infected systems to other computers, Trojan.Peskyspy is a viable threat to anyone using most versions of Windows including Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003 and Windows Vista.

The file name that injects the trojan is called SkypeDLLInjector.exe. Trojan.Peskyspy saves .mp3 files with the following file names and keeps it in a predetermined folder:
  • [PREDETERMINED FOLDER NAME]\[CALLER ID]-[PACK NUMBER]-SkypeIn-[YEAR-MONTH-DAY-HOUR-MINUTE-SECOND].mp3
  • [PREDETERMINED FOLDER NAME]\[CALLER ID]-[PACK NUMBER]-SkypeOut-[YEAR-MONTH-DAY-HOUR-MINUTE-SECOND].mp3

After Trojan.Peskyspy is installed it has the capability, when sending data through the backdoor, to scan and bypass the following processes which are related to popular firewalls.
  • avgfwsrv.exe
  • bdagent.exe
  • bdmcon.exe
  • fsdfwd.exe
  • kadmin.exe
  • Mcdetect.exe
  • McShield.exe
  • mpfagent.exe
  • mpfservice.exe
  • outpost.exe
  • webroot.exe
  • zlclient.exe

A computer user that is infected with Trojan.Peskyspy may not suspect that anything is wrong considering that this Trojan only creates a small mp3 file containing the conversation recording via Skype. The mp3 file is later transmitted from the infected system to the remote attacker.

How to Protect Yourself from Trojan.Peskyspy


To protect your PC from Trojan.Peskyspy, it is important that you have the latest Skype version to have the up to date Skype bug fixes. Also, use Microsoft's Windows Update program to ensure that your Windows operating system is up to date with all security updates and patches. If you suspect that your system is infected with Trojan.Peskyspy, you can run an anti-virus or anti-spyware application to detect and remove Trojan.Peskyspy.

Symantec, a security vendor, has discovered that the source code for Trojan.Peskyspy is publicly available and could work on other popular VoIP applications. This may give other hackers the resources to easily create a much more devastating infection that could potentially be programmed to spread from infected systems.

Trojan.Peskyspy is currently thought to be a way for attackers to prove a concept and not a reason to cause panic over a new threat running lose over the Internet. eBay and Microsoft have yet to respond or comment on Trojan.Peskyspy.

It is very possible that we will see more Tojans or malware use the same methods to that of Trojan.Peskyspy to "spy" on computer users. Since the source code of Trojan.Peskyspy is publicly available, do you think hackers will use it to target other applications besides Skype?

One Comment

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as-is:
What is 14 + 7 ?