Symantec Corp. researchers have discovered a Trojan designed to listen and record conversations via the popular Skype VoIP application, in what could be the first wiretap Trojan discovered in the wild.
Called Trojan.Peskyspy, the malware uses Windows API calls to grab sound coming from various audio devices plugged into a victim's computer, Symantec said. It intercepts audio data and converts the stream into an MP3 file, which is then stored on the victim's machine.
Symantec said Skype was targeted likely because of its large install base. Users of the application have been targeted in the past by malware writers. Attackers attempted to spread a password-stealing Trojan via Skype in 2006. Since then malware authors have attempted to spread malware by sending malicious links via the VoIP application.
Experts have also warned about the application's use of proprietary cryptographic protocols as well as unencrypted communications related to call setup that may make it possible for an eavesdropper to perform traffic analysis.
Symantec is calling the Peskyspy Trojan a proof-of-concept. So far the Trojan does not contain any method to spread from one computer to another, Symantec said. Once the Trojan is installed on a victim's machine, it bypasses security protocols or encryption applied by Skype because it sits between the Skype process and the audio device.
"Essentially, it sits below these security measures, recording the audio at the Windows level -- before outbound audio from the microphone gets to Skype and after incoming audio leaves Skype and reaches the speakers," Symantec wrote in a blog post about the new Skype Trojan.
The Trojan contains a back door, which enables an attacker to send the captured audio to a new location for listening.