Skype-blocking companies have been scrambling to update their products after the recent release of a new version of the software that is even harder to detect and block.
The beta of version 3.0 was made available only two weeks ago and, as expected, the client has been re-engineered to make its presence on network traffic tougher to spot, according to leading Skype-blocking outfit iPoque.
There have been a number of subtle but important alterations in 3.0, including a change to the way the client opens encrypted UDP channel to other clients, as well as to the packet lengths themselves. Since the software was already extremely hard to detect, and uses an encrypted channel once calls have been started, blocking filters have depended on tracing small but telltale patterns such as this.
The software also appeared to have been overhauled to make it less likely that intrusion prevention systems (IPSs) unable to properly identify Skype would classify its traffic as “bad” by lowering the number of TCP connections the client attempts to open. This would avoid triggering TCP thresholds set on such systems, said iPoque CEO Klaus Mochalski.
Some of the changes only work if clients at both end of the connection are using version 3.0. The need to maintain backwards compatibility meant that a new client connecting to an older version would make the connection using older and blockable patterns.
The company had now revised its detection algorithms to take account of the changes, he said. The problem was now less detecting Skype as avoiding mis-identification, which could create problems of its own.
“This time we had a hard time to find a pattern and not create false positives [at the same time],” said Mochalski. Despite this, the changes from version 2.5 to 3.0 had not been as significant as those from version 2.0 to 2.5, he indicated. In the longer run, it would be difficult for Skype to change so as to hide completely because it always had to release new software that maintained backwards compatibility.
Germany-based iPoque markets hardware-based systems for detecting and blocking a range of unauthorised software from use on corporate networks, including Skype and notorious P2P systems such as BitTorrent.
There are other ways to block Skype, the simplest being to detect the presence of the client executable on the PC and stop it running in the first place. The tool offered by Sophos does this for nothing but needs the presence of the Sophos anti-virus client - into which its plugs - to work.
This mini-war has been raging for some time with previous versions of the software using increasing levels of stealthiness to hide themselves from detection systems, mostly used by rival ISPs and governments. Many corporates, sensitive of data leakage, also have an urgent need to stop it.