14 DAY TRIAL // Security researchers from Symantec have identified a piece of malware designed to brute force the password of VoIP accounts in a distributed manner.
The trojan, which Symantec describes as a SIP cracker, after the Session Initiation Protocol (SIP) used by VoIP systems, is being installed on computers by Sality.
Sality is a family of file infectors with botnet capability that spread by appending their malicious code to executable files, sometimes corrupting them in the process.
The Sality botnet is commonly used as a malware distribution platform in a pay-per-install style operation where other cybercriminals pay to have their creations spread.
The SIP cracker has been distributed by Sality for months now with few people noticing and it is noteworthy because it's the first such malware to be found in the wild.
"This malware, a distributed SIP cracker, is new in many aspects (there are known SIP crackers – tools or PoC, but no known in-the-wild malware, let alone one that implements SIP cracking in a distributed fashion)," says Symantec security expert Nicolas Falliere.
The SIP crackers contact their command and control server and ask for an IP range to probe. It then performs some checks on IP addresses in that range to determine if any correspond to a SIP server.
When a server is identified, the bot tries to register an account on it using a list of usernames and passwords received from the C&C. If any of the attempts is successful, it reports back with the information.
The bots are also capable of brute forcing admin accounts for FreePBX, a Web-based front-end for managing Asterisk PBX systems.
"So far, it seems millions of target IPs are being distributed to the bots. They belong to DSL/cable providers, commercial services, universities, etc., and usually point to a Web server. At the current rate, it appears that the entire target address space the gang serves is covered in 5 to 6 hours," Falliere explains.
The stolen accounts are likely used for VoIP fraud. One example of this is using them to call premium rate numbers registered by the attackers. Another is to route international calls through them and sell the minutes.