How bad is the Skype botnet threat?
Skype's sneakiness leads to a security risk.
By Peter Judge. Techworld | Published: 12:00, 25 January 2006
The revelation that VoIP traffic can be used as a covert control channel for a botnet is just one more security worry for Skype. It will add to opposition to Skype traffic from IT managers that don't want it on their networks.
In the botnet threat, Skype is not the threat itself, but a tool others might use. In a "botnet" a set of PCs are infected with Trojan software; they can then be controlled remotely and used to launch a denial of service attack on any victim. Skype is therefore being hijacked as the channel though which these bots can be given instructions.
Botnets are usually tracked down by the commands used to control them - usually an IM or IRC stream. "VoIP offers a lot more scope for hiding informaiton in the traffic," says Ian Brown, who leads the Internet security group at the Communications Research Network, which has publicised the threat. "There is a lot more traffic coming through, and audio traffic is a lot of random looking bits. If you can't see the botnet messages, you can't dismantle the botnet."
How dangerous is it?
We don't know how dangerous the threat could be: it's not been seen in the wild, but John Crowcroft, Marconi professor of communication systems at Cambridge, says it's "unfortunately very easy" to set up.
We don't even know how big a problem "regular" DoS attacks are, since they are not reported or logged anywhere. Although IT managers users might fear it would damage their company's image, the CRN recommends this should change, and has suggested an anonymous reporting service, which might help to bring out patterns in DoS attacks.
“Criminal activity on the internet should be a notifiable event, with registration on a central database,” says CRN Chairman, David Cleevely. “It's important to remember that there are more of us good guys than there are bad guys. The more we share information between us, the more we stay ahead of the game.”
Skype is stealthySkype disputes that its traffic is any more dangerous than other traffic, but the application has gained a reputation for stealthiness, both in the way it gets onto systems, and in the way it guards the internals of its working.
Skype is designed to be easy for inexperienced end users to install, without the benefit of support from their ISPs or IT managers. It has to work unaided - and that means it has to be good at getting past firewalls and other security measures.
This can be a benefit, but for business, it means an unmanaged hole in a firewall, and an unaudited channel of communications - which in many industries may be against business regulations. Skype clients also act as servers, using bandwidth to handle other people's calls.
Lots of IT managers simply want to shut Skype down. "I wouldn't go so far as to say all companies should block Skype," says Brown, "but it's something they should be aware of."
Skype denies that it's unpopular with IT. "I speak frequently to enterprise IT departments and CIOs about trying to integrate Skype into their architectures," says Kurt Sauer, director of security operations at Skype.
But, even before the botnet threat emerged, the UK's university networks blocked Skype, says Crowcroft: "It's not to stop people getting free voice calls, but because the uncontrolled extra traffic gives us a large bill - and is against our acceptable use policy." When it lost the UK's university students, Skype lost two million paying customers, who would have bought credit for SkypeOut, says Crowcroft.
Blocking Skype is not easy, though, because Skype wants its software to be used. "There's an arms race between firewall manfucturers and applications like Skype," says Brown. IT managers block Skype as much as they can, but it often finds a way through.
It's down to open routing!
CRN announced the threat in an attempt to persuade Skype and others to be better citizens on corporate networks. If Skype's routing specifications were published, says Crowcroft, then IT managers could allow it on corporate networks, and be able to spot the patterns of traffic which means it is being used maliciously, says the CRN.
"Customers should demand standards compliance from Skype," says Brown. Crowcroft reckons it's now in Skype's interest anyway: it could reach a bigger market by interworking with instant messenger tools that now offer voice. It would also be good for ISPs - if they knew the routing specifications, they could apply traffic engineering and deliver a better quality of service to VoIP users.
Skype doesn't see it that way: "It's what Gartner wants and its what our competitors want," said Sauer. But he thinks the time to go standard is not yet. "VoIP itself is not through its innovation cycle. It's not a commodity. If people say we should standardise on a protocol, it would diminish our ability to innovate" (read our review of Skype 2.0, for a view on Skype's innovation).
Since Skype's user base is consumers, not the enterprise, it can afford to ignore calls to standardise - at least in theory. Which may be why the CRN chose to make the announcement the way it did.
CRN has taken a message about standards, and encapsulated it in the form of a security warning. In that sense, it's possible the real Trojan horse here is CRN.