Papers no image

Published on February 20th, 2011 | by NJ Ouchn


A Distributed Cracker for VoIP

Source: Symantec

Back in the spring of 2010, I blogged about W32.Sality and the decentralized P2P botnet made up by hosts infected by Sality. The botnet is used to propagate URLs pointing to more malware. Recently, the gang behind Sality has distributed a tool to brute force Voice over IP (VoIP) account credentials on systems that use Session Initiation Protocol (SIP). SIP is a protocol widely used to initiate and control voice and video calls made over the Internet.

Let’s rewind back to November 2010. At that time, a few SIP-related blogs and mailing lists reported attacks against SIP servers. The attacks consisted of REGISTER attempts using what appeared to be random account names. The novelty lied in the source of the attack, as it seemed the traffic originated from many different IPs. No specific malware was traced back to these attacks, though.

Recently, malware propagated by Sality caught our attention. It certainly stayed under our radar for a few months, and is the one that caused SIP administrators troubles last November. This malware, a distributed SIP cracker, is new in many aspects (there are known SIP crackers – tools or PoC, but no known in-the-wild malware, let alone one that implements SIP cracking in a distributed fashion.)

Bots connect to a command and control (C&C) server, which gives them orders as to what SIP-related operations should be performed. The diagram below summarizes the interactions between a bot, the C&C server, and a target machine (in the example, a SIP server):

The features implemented are as follows:

SIP user account discovery for a specified server

When instructed to do so, the bot will first try to register a random user account against a targeted server, as instructed by the C&C. If the server is indeed a SIP server, the registration will likely fail and the server will return a 404 page not found error code. The bot will then try to register 10,000 user accounts (accounts “0” to “9999”). It seems this command is not fully implemented and therefore not used.

A typical forged REGISTER request would look like the following:

REGISTER sip:<UserId>@<ServerAddress> SIP/2.0
Via: SIP/2.0/UDP <ServerAddress>:5060;branch=<RandomBranch>;rport
Content-Length: 0
From: <sip:<UserId>@<ServerAddress>>; tag=<RandomTag>
Accept: application/sdp
User-Agent: Asterisk PBX
To: <sip:<UserId>@<ServerAddress>>
Contact: sip:<UserId>@<ServerAddress>
Call-ID: <RandomId>
Max-Forwards: 70

Continue Reading

Tags: , ,

About the Author

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"

Back to Top ↑