Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security

February 18th, 2011, 08:40 GMT · By

Security Researchers Find VoIP Account Cracking Botnet

SHARE:

Adjust text size:


VoIP malware found in the wild
Enlarge picture
Security researchers from Symantec have identified a piece of malware designed to brute force the password of VoIP accounts in a distributed manner.

The trojan, which Symantec describes as a SIP cracker, after the Session Initiation Protocol (SIP) used by VoIP systems, is being installed on computers by Sality.

Sality is a family of file infectors with botnet capability that spread by appending their malicious code to executable files, sometimes corrupting them in the process.

The Sality botnet is commonly used as a malware distribution platform in a pay-per-install style operation where other cybercriminals pay to have their creations spread.

The SIP cracker has been distributed by Sality for months now with few people noticing and it is noteworthy because it's the first such malware to be found in the wild.

"This malware, a distributed SIP cracker, is new in many aspects (there are known SIP crackers – tools or PoC, but no known in-the-wild malware, let alone one that implements SIP cracking in a distributed fashion)," says Symantec security expert Nicolas Falliere.

The SIP crackers contact their command and control server and ask for an IP range to probe. It then performs some checks on IP addresses in that range to determine if any correspond to a SIP server.

When a server is identified, the bot tries to register an account on it using a list of usernames and passwords received from the C&C. If any of the attempts is successful, it reports back with the information.

The bots are also capable of brute forcing admin accounts for FreePBX, a Web-based front-end for managing Asterisk PBX systems.

"So far, it seems millions of target IPs are being distributed to the bots. They belong to DSL/cable providers, commercial services, universities, etc., and usually point to a Web server. At the current rate, it appears that the entire target address space the gang serves is covered in 5 to 6 hours," Falliere explains.

The stolen accounts are likely used for VoIP fraud. One example of this is using them to call premium rate numbers registered by the attackers. Another is to route international calls through them and sell the minutes.

TELL US WHAT YOU THINK:

1,937 hits · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Major VoIP Fraud Gang Dismantled in Romania
Increase in VoIP Attacks Prompts Expert to Build Specialized Blacklist
Notorious VoIP Thief Gets Ten Years in Prison

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use