New Edition of Skype More Difficult to Detect

Skype-blocking companies have been scrambling to update their products after the recent release of a new version of the software that is even harder to detect and block.

The beta of version 3.0 was made available only two weeks ago, and as expected, the client has been re-engineered to make its presence on network traffic tougher to spot, according to leading Skype-blocking outfit iPoque.

There have been a number of subtle but important alterations in 3.0, including a change to the way the client opens encrypted UDP channels to other clients, as well as to the packet lengths themselves. Since the software was already extremely hard to detect, and uses an encrypted channel once calls have been started, blocking filters have depended on tracing small but telltale patterns such as this.

The software also appeared to have been overhauled to make it less likely that intrusion prevention systems unable to properly identify Skype would classify its traffic as “bad” by lowering the number of TCP connections the client attempts to open. This would avoid triggering TCP thresholds set on such systems, said iPoque CEO Klaus Mochalski.

Some of the changes work only if clients at both ends of the connection are using version 3.0. The need to maintain backward compatibility meant that a new client connecting to an older version would make the connection using older and blockable patterns.

The company had revised its detection algorithms to take account of the changes, he said. The problem was then less detecting Skype as avoiding misidentification, which could create problems of its own.

“This time we had a hard time to find a pattern and not create false positives [at the same time],” said Mochalski. Despite this, the changes from version 2.5 to 3.0 had not been as significant as those from version 2.0 to 2.5, he indicated. In the longer run, it would be difficult for Skype to change so as to hide completely because it always had to release new software that maintained backward compatibility.

Germany-based iPoque markets hardware-based systems for detecting and blocking a range of unauthorized software from use on corporate networks, including Skype and notorious P2P systems such as BitTorrent.

There are other ways to block Skype, the simplest being to detect the presence of the client executable on the PC and stop it running in the first place. The tool offered by Sophos does this for nothing, but needs the presence of the Sophos antivirus client—into which its plugs—to work.

This mini-war has been raging for some time, with previous versions of the software using increasing levels of stealthiness to hide themselves from detection systems, mostly used by rival ISPs and governments. Many corporations, sensitive of data leakage, also have an urgent need to stop it.

-John E. Dunn, Techworld.com (London)

Related Links:

• Skype Phone from RTX Needs No PC Connection

• Skype Launches Its 1st Mobile Service

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.