A software developer who designed a way to tap and record calls made on Skype and other VoIP networks has made the source code of the spying program public, a move he said will allow other programmers to build workarounds to the potential threat. The programmer, Ruben Unteregger, was tasked by his former company ERA IT Solutions to write a Trojan horse program that could tap VoIP calls for the Swiss government.

Apparently, the program bypassed Skype’s heralded encryption process, one that has vexed security officials in Europe multiple times.

In a translated interview, Untregger discussed his rationale for releasing the code.

“The code will be published, it will get analyzed as soon as the binaries got uploaded, signature patterns will be created by anti-virus companies, the malware will be detected, blocked and deleted, if it tries to infect a system,” Untregger said.

Untregger’s motives appear to be genuinely in the interest of private citizens and enterprises that use VoIP services like Skype, as the publicizing of the code makes its use by security agencies redundant, according to a Computer World report. However, making this code available could have negative repercussions if hackers can use it to build even more powerful tapping programs. Other instances of Skype hacking, such as China’s purported monitoring of dissident communication via VoIP programs, gives one pause when considering the public availability of such information.

At the Black Hat security conference, Austrian IT security specialist Peter Kleissner presented a bootkit called Stoned which is capable of bypassing the TrueCrypt partition and system encryption. A bootkit combines a rootkit with the ability to modify a PC’s Master Boot Record, enabling the malware to be activated even before the operating system is started.

Available as source code, Kleissner’s bootkit can infect any currently available 32-bit variety of Windows from Windows 2000 to Windows Vista and the Windows 7 release candidate. Stoned injects itself into the Master Boot Record (MBR), a record which remains unencrypted even if the hard disk itself is fully encrypted. During startup, the BIOS first calls the bootkit, which in turn starts the TrueCrypt boot loader. Kleissner says that he neither modified any hooks, nor the boot loader, itself to bypass the TrueCrypt encryption mechanism. The bootkit rather uses a “double forward” to redirect I/O interrupt 13h, which allows it to insert itself between the Windows calls and TrueCrypt. Kleissner tailored the bootkit for TrueCrypt using the freely available TrueCrypt source code.

Once the operating system has been loaded, Stoned can get to work and install malware, such as a banking trojan, in the system. Peter Kleissner, who is only 18 years old, has also included several plug-ins, for example a boot password cracker and a routine for infecting the BIOS. The framework layout of Stoned allows other programmers to develop their own plug-ins for the bootkit. Kleissner thinks that Stoned could also be of interest to investigation agencies, for example for developing a federal trojan.

Once installed, Stoned cannot be detected with traditional anti-virus software because no modifications of Windows components take place in memory, says Kleissner. Stoned runs in parallel with the actual Windows kernel. Even an anti-virus function in the BIOS can’t stop the bootkit, as modern Windows versions modify the MBR without referring to the BIOS.

However, administrator privileges or physical access to a system are required for an infection. At present, only machines running the traditional BIOS are vulnerable. The attack is unsuccessful when the BIOS successor the Extensible Firmware Interface (EFI) is at work on the motherboard. The most effective protection appears to be encrypting the entire hard disk with software that is based on the Trusted Platform Module (TPM).

For instance, using Windows’ own BitLocker encryption mechanism is said to be a reliable antidote, because an infected MBR’s hash value no longer corresponds to the hash value stored in the TPM, prompting the TPM to abort the boot process. Kleissner didn’t have an answer to the question whether a hardware-encrypted hard disk is capable of preventing an infection.