A Distributed Cracker for VoIP

Source: Symantec

Back in the spring of 2010, I blogged about W32.Sality and the decentralized P2P botnet made up by hosts infected by Sality. The botnet is used to propagate URLs pointing to more malware. Recently, the gang behind Sality has distributed a tool to brute force Voice over IP (VoIP) account credentials on systems that use Session Initiation Protocol (SIP). SIP is a protocol widely used to initiate and control voice and video calls made over the Internet.

Let’s rewind back to November 2010. At that time, a few SIP-related blogs and mailing lists reported attacks against SIP servers. The attacks consisted of REGISTER attempts using what appeared to be random account names. The novelty lied in the source of the attack, as it seemed the traffic originated from many different IPs. No specific malware was traced back to these attacks, though.

Recently, malware propagated by Sality caught our attention. It certainly stayed under our radar for a few months, and is the one that caused SIP administrators troubles last November. This malware, a distributed SIP cracker, is new in many aspects (there are known SIP crackers – tools or PoC, but no known in-the-wild malware, let alone one that implements SIP cracking in a distributed fashion.)

Bots connect to a command and control (C&C) server, which gives them orders as to what SIP-related operations should be performed. The diagram below summarizes the interactions between a bot, the C&C server, and a target machine (in the example, a SIP server):

The features implemented are as follows:

SIP user account discovery for a specified server

When instructed to do so, the bot will first try to register a random user account against a targeted server, as instructed by the C&C. If the server is indeed a SIP server, the registration will likely fail and the server will return a 404 page not found error code. The bot will then try to register 10,000 user accounts (accounts “0” to “9999”). It seems this command is not fully implemented and therefore not used.

A typical forged REGISTER request would look like the following:

REGISTER sip:<UserId>@<ServerAddress> SIP/2.0
Via: SIP/2.0/UDP <ServerAddress>:5060;branch=<RandomBranch>;rport
Content-Length: 0
From: <sip:<UserId>@<ServerAddress>>; tag=<RandomTag>
Accept: application/sdp
User-Agent: Asterisk PBX
To: <sip:<UserId>@<ServerAddress>>
Contact: sip:<UserId>@<ServerAddress>
CSeq: 1 REGISTER
Call-ID: <RandomId>
Max-Forwards: 70

Continue Reading

NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"
Efficiency of the Vulnerability Response With vFeed Intelligence

Efficiency of the Vulnerability Response With vFeed Intelligence

CVE In The Hook – Monthly Vulnerability Review (March 2020 Issue)

CVE In The Hook – Monthly Vulnerability Review (March 2020 Issue)

Fox Kitten -Iranian Espionage – leveraged 4 CVEs Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs

Fox Kitten -Iranian Espionage – leveraged 4 CVEs Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs

Top 5 Critical CVEs Vulnerability from 2019 That Every CISO Must Patch Before He Gets Fired !

Top 5 Critical CVEs Vulnerability from 2019 That Every CISO Must Patch Before He Gets Fired !

2016 Top Security Tools as Voted by ToolsWatch.org Readers

2016 Top Security Tools as Voted by ToolsWatch.org Readers

ICS/SCADA Top 10 Most Dangerous Software Weaknesses

ICS/SCADA Top 10 Most Dangerous Software Weaknesses