19

I am frequently getting warnings from my ESET firewall, like that pictured below, that Skype is attempting to communicate over SSL with a remote computer that has an untrusted certificate:

ESET warning

The remote computer is always a different host. I don't ever know or recognize the remote computer, and I am very alarmed at this. Does anyone have an explanation for this?

Shaul Behr
  • 1,027
  • 1
  • 9
  • 16
  • 1
    This is how you verify it within 5 minutes if your computer is compromised. Use a virtual machine, install Skype and ESET on it, if you get the same warning then this is either a localized issue because of your location ( Israel ) or a misconfigured server. – Ramhound Dec 05 '12 at 14:18
  • 2
    @Ramhound - good idea, though the promise of 5 minutes is not realistic. This message does not appear on any predictable basis, so it could be days before it ever happens. Being that this is the case, if we're lucky the message will appear again, but if it doesn't appear, it doesn't prove that I've been compromised; it could just mean that all the supernodes Skype is using have valid SSL certificates... – Shaul Behr Dec 05 '12 at 14:23
  • It not always appearing is important information. Yes, 5 minutes is not realistic, but you understood the purpose of it. The end result is you verify if the warning appears on the virtual machine even if its eventually. – Ramhound Dec 05 '12 at 14:29
  • I have uninstalled and reinstalled Skype from a clean download; let's see if this makes a difference... – Shaul Behr Dec 06 '12 at 15:17

4 Answers4

12

Yes, be alarmed. It looks like something injected into Skype is trying to communicate with an untrusted server in Ukraine. There's no reason for Skype to be doing this normally.

A bit of investigation on the domain returns this information:

domain:     pakko.ua
admin-c:    PC226-UANIC
tech-c:     IMENA-UANIC
status:     OK-UNTIL 20131123175521
dom-public: NO
license:    43288
nserver:    ns1.imena.com.ua
nserver:    ns3.imena.com.ua
nserver:    ns2.imena.com.ua
mnt-by:     IMENA-UANIC (ua.imena)
created:    0-UANIC 20041123175521
changed:    IMENA-UANIC 20121011174615
source:     UANIC

nic-handle:     PC226-UANIC
organization:   Pakko Corporation
address:        Klima Savura 21
address:        Lutsk Ukraine
fax-no:         +380332 78 94 39
phone:          +380332 78 94 94

A quick search for "Pakko Corporation" returns a limited liability company in Ukraine:

Address:
21а, Savura str., c. Lutsk, Volyn reg., 43005, Ukraine
Telephone:
+38(0332) 78-91-90, 78-94-89
Web-site:
http://www.pakko.ua

They list their employee count as between 50 and 100. A bit more digging finds a previous employee on LinkedIn and a bit more info.

So it looks like a legitimate company, but I don't fancy going on their website to work out what they do. I'd guess that their site has been compromised and is now being used as a command and control server.

I'd guess you've got some sort of malware that has injected a thread into Skype, since it's a program that's usually allowed to communicate with the network. Since your machine is likely compromised, my recommendation is to nuke it from orbit and start over.

Community
  • 1
Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • 1
    Um... you sure that's not overkill? I mean, if my computer indeed has been compromised, then I accept that it may be necessary to nuke it. I have not, to my knowledge, done anything that would have allowed my computer to be compromised, and I am the only user. Nuking my computer is going to come at a pretty big cost to me. I want to be totally sure that this is really a bona fide attack, not that I'm going to lose a bunch of data and a couple days of productivity just on the suspicion that my computer might have been compromised... – Shaul Behr Dec 05 '12 at 10:59
  • 2
    In general, if there is any compromise then you cannot be sure of removing it unless you wipe and rebuild. Definitely make sure that it is a compromise first (Skype is quite profligate with contacting supernodes) but it sounds from @Poly's initial research that this is malicious. – Rory Alsop Dec 05 '12 at 11:13
  • @Shaul Could just be supernodes, but I fail to see why various foreign servers would be supernodes, unless you're actually in Ukraine and most of them are from there. It doesn't really make sense. Skype also happens to be a big attack surface for remote exploits, so you might not have to even _do_ anything in order to get compromised. – Polynomial Dec 05 '12 at 11:31
  • Pardon my ignorance - what is a supernode? – Shaul Behr Dec 05 '12 at 11:59
  • 1
    The remote servers are not all in Ukraine, but AFAIR they do tend to be in the FSU. – Shaul Behr Dec 05 '12 at 12:00
  • 2
    Poly, with all respect, I'm not nuking my computer on the off chance that maybe it's infected, when there's a very plausible and reasonable alternative explanation on offer. Same way when I get a headache, I take paracetamol before moving on to morphine. – Shaul Behr Dec 05 '12 at 14:31
  • 1
    Shaul, how about taking the conversation to [chat] - comments are not really suited for this so I'll be cleaning up now. – Rory Alsop Dec 06 '12 at 13:54
  • I uninstalled and reinstalled Skype, and this warning message still appears from time to time, each time relating to a different remote server. I ran an ESET scan on the entire computer, 0 threats found. Before I go nuking from orbit, are there any better AV programs that might have a better chance of detecting & cleaning this sucker? – Shaul Behr Dec 19 '12 at 08:15
  • @RoryAlsop courtesy ping - I have an answer – Shaul Behr Dec 26 '12 at 14:17
8

This might simply be a Skype Supernode (I no longer think so), that said, I think there are some red flags:

  • The server is in Ukraine and it belongs to a company that doesn't seem to have business with Microsoft/Skype, and they don't seem to be in a position to host a Skype Supernode.

  • Server is running ProFTPD 1.2.10 behind an open port 21. I don't see why a Skype supernode (supposed to be secured and whatnot) is running an FTP server like that, instead of tunneling through SSH (SFTP)

  • Nmap scan reveals SMTP (465), IMAP (993), POP3(995). Which doesn't look very Skype Supernodish to me, I'd rather say it's being used as a spam-generation server.

If you're looking for someone to tell you what to do and take responsibility for your own actions, that's not gonna happen. The data is here, based on MY judgment I stand with Polynomial's opinion, this looks like something to worry about.

Here's the Nmap scan in question.

Update:
I've done another deeper scan, I'd say with 90% certainty this is NOT a Skype Supernode.

  • Running Microsoft IIS on port 4040, edonkey on port 4662.
  • Running some httpd on port 443 (should be used by Skype)
  • Isn't using port 80 (should be used by Skype)

2nd Update:

If this was a legitimate Skype Supernode, then one of the following cases apply:

  • It's run by Microsoft or Microsoft partners/associates. Then I don't think it should run insecure services and things like eDonkey.

  • It's a normal user that opted-in to be a node. Then port 443 and port 80 should be open and used by Skype.

Community
  • 1
Adi
  • 43,953
  • 16
  • 137
  • 168
  • VMWare ESXi runs on a cut down Linux kernel - it definitely does not run "on Windows" -- although, the open ports and so on looks very suspicious to me. – Callum Wilson Dec 05 '12 at 14:40
  • @CallumWilson, thanks, I'll update my answer. I'm also running a deeper scan, initial results are even more suspicious. – Adi Dec 05 '12 at 14:41
  • interested in the results of this. Although, given the choice of conspiracy or cockup, it's probably a poor quality supernode. – Callum Wilson Dec 05 '12 at 14:46
  • @CallumWilson, at this point I don't think this is a Skype Supernode – Adi Dec 05 '12 at 14:57
  • I saw the nmap output. MySQL? SIP? some strange things there but in principle you could run a supernode with other services running. – Callum Wilson Dec 05 '12 at 15:11
  • @CallumWilson. To some extent, I agree with you. But according to Microsoft they're using their own Linux boxes, unless IIS can be functional on Linux, and Microsoft allows running eDonkey on the Skype supernodes, this doesn't look like one. – Adi Dec 05 '12 at 15:19
  • I need to look more deeply; but I understand that a user can elect to be a supernode by changing the config of their skype client. see http://chris.pirillo.com/are-you-a-skype-supernode/ – Callum Wilson Dec 05 '12 at 15:40
  • @CallumWilson. While that's indeed correct, as you can see from the Nmap scans that server isn't utilizing port 443 or 80 (used by Skype clients when they become nodes). – Adi Dec 05 '12 at 17:04
  • courtesy ping - I have an answer – Shaul Behr Dec 26 '12 at 14:17
3

Skype uses a Peer to Peer model to route "calls" through the internet which means that part of the lookup function is being routed through unknown third parties.

Microsoft (when they bought Skype) changed the model earlier this year so that it mainly routes through semi-trusted nodes (i.e. not some guys home broadband!) which they call "Supernodes" - apparently they are in "secure datacentres" and are , obviously spread around the globe.

As I understand it; this tech is used to find users - the calls themselves are not passed through supernodes

There are plenty of people that do not trust Skype because they have not revealed how their security system works, in particular encryption.

Callum Wilson
  • 2,543
  • 11
  • 16
  • Aha, very interesting! So you think this Ukrainian site is just a supernode? – Shaul Behr Dec 05 '12 at 12:35
  • they're probably a local Microsoft supplier who have agreed to host a Skype supernode. In the good old days of Skype, everyone was a node in a pure P2P networking sense. – Callum Wilson Dec 05 '12 at 13:29
  • Right, so the only reason ESET is reporting it is because their SSL certificate has expired, or something like that? Sounds reasonable... – Shaul Behr Dec 05 '12 at 14:15
  • 2
    @Shaul - Verify this. Use a clean virtual machine. If you get the same error message then its a misconfigured server, if you don't get the error, then your host operating system is infected. – Ramhound Dec 05 '12 at 14:21
  • @Ramhound courtesy ping - I have an answer – Shaul Behr Dec 26 '12 at 14:15
0

Well, after everything, I ran several antivirus checks, from different AV vendors, and nothing suspicious was found. I logged support calls with both ESET and Skype regarding this issue. The folks at ESET told me over the phone that it's safe to approve, and Skype email tech support wrote:

We can assure you that this is not due to malware.

I couldn't get anyone to explain exactly why Skype is communicating over SSL to arbitrary untrusted hosts, but given this reassurance from I at least do not feel the need to nuke from orbit, even if I do keep pressing "No" when this message appears.

Shaul Behr
  • 1,027
  • 1
  • 9
  • 16
  • 1
    And I think customer support are idiots who thought you were talking about a supernode and didn't even bother to check the website in question. This sounds like an infection to me. As Skype normally starts up along with Windows, it's a prime candidate for injection. – Mints97 Apr 09 '15 at 11:11
  • 1
    @Mints97 well, it's been over 2 years since I asked the question; I did *not* nuke from orbit, and everything seems to have been fine since then... maybe I just got lucky... :) – Shaul Behr Apr 11 '15 at 18:48