The Skype weakness demonstrated by M86 takes advantage of an unspecified vulnerability addressed by an updated version of VoIP service released in October 2009.
According to a blog posting from M86 SecurityLabs researcher Daniel Chechik, it takes advantage of a security hole in a Skype plug-in called EasyBits Extras Manager, which Skype designed to prevent the illegal dissemination of licensed commercial software.
“Malicious code exploits a Skype ActiveX vulnerability using primitive obfuscation techniques in order to bypass anti-virus security solutions”, noted Chechik’s posting. “We can confirm this exploit code works successfully against vulnerable Skype installations.”
Indeed, according to M86’s submission of the code to analytic website Virus Total, the Skype exploit is detected by only 2.44% of anti-virus engines.
Ed Rowley, product manager at M86, lent his view as to why this exploit has such dismal anti-virus recognition: “The low AV detection rate is due to a combination of factors, but it basically boils down to dynamic code obfuscation rendering, in this case, signature-based AV redundant. Although AV signature-based engines remain a very important and efficient security tool when it comes to dealing with known threats”, he added.
“Cyber-criminals employ a number of techniques to hide the actual intent of the code, from encryption to dynamic code, where parts of the code are randomized so that they appear different each time the page is visited, making signature generation and heuristic analysis more difficult”, Rowley continued.
Chechik believes the real problem here is not with anti-virus detection but a lack of updated software, as fully updated Skype users are not vulnerable to this attack. “Many users continue to run outdated applications for months, even years, and these old versions continue to be exploited by cybercriminals”, said the M86 researcher.