Re: Skype API Ap2Ap Stream Creation Flaw

[Stephen Samuel <samnospam () bcgreen com>]

Other than the fact that this takes advantage of skype's built-in 
encryption, I don't see how this is that much different than any other 
network-capable application being built with backdoors and call-home 
capability.

vizig0thblitz () gmail com wrote:
> An application-to-application stream can be created between two Skype clients without having established normal 
> communications between them and both Skype client's contact lists are empty.  With this ability any Skype enabled 
> application can create a convert communication stream to a central server.  This can only occur, of course, if the user 
> voluntarily installs the application.  Therefore, the main attack vector for this functionality is to create a legitimate 
> Skype-enabled application, have the user install the application, and once the user starts the application make a covert 
> connection to a central server.  Once the connection to the central server is made, additional software can be downloaded 
> and installed on the target computer via the application-to-application stream.
>
> Scenario Setup:
>
> The following will be needed to recreate the scenario:
>
> 1.Two computers with Skype installed and two separate Skype Ids that have had no communication between them.
>
> 2.A copy of SkypeTracer installed on each computer.
>
> Scenario Steps:
>   
. . . . .

--
Stephen Samuel +1(778)861-7641             samnospam () bcgreen com
                   http://www.bcgreen.com/
  Powerful committed communication. Transformation touching
    the jewel within each person and bringing it to light.