A Distributed Cracker for VoIP

Back in the spring of 2010, I blogged about W32.Sality and the decentralized P2P botnet made up by hosts infected by Sality. The botnet is used to propagate URLs pointing to more malware. Recently, the gang behind Sality has distributed a tool to brute force Voice over IP (VoIP) account credentials on systems that use Session Initiation Protocol (SIP). SIP is a protocol widely used to initiate and control voice and video calls made over the Internet.

Let’s rewind back to November 2010. At that time, a few SIP-related blogs and mailing lists reported attacks against SIP servers. The attacks consisted of REGISTER attempts using what appeared to be random account names. The novelty lied in the source of the attack, as it seemed the traffic originated from many different IPs. No specific malware was traced back to these attacks, though.

Recently, malware propagated by Sality caught our attention. It certainly stayed under our radar for a few months, and is the one that caused SIP administrators troubles last November. This malware, a distributed SIP cracker, is new in many aspects (there are known SIP crackers – tools or PoC, but no known in-the-wild malware, let alone one that implements SIP cracking in a distributed fashion.)

Bots connect to a command and control (C&C) server, which gives them orders as to what SIP-related operations should be performed. The diagram below summarizes the interactions between a bot, the C&C server, and a target machine (in the example, a SIP server):


The features implemented are as follows:

SIP user account discovery for a specified server

When instructed to do so, the bot will first try to register a random user account against a targeted server, as instructed by the C&C. If the server is indeed a SIP server, the registration will likely fail and the server will return a 404 page not found error code. The bot will then try to register 10,000 user accounts (accounts “0” to “9999”). It seems this command is not fully implemented and therefore not used.

A typical forged REGISTER request would look like the following:

REGISTER sip:<UserId>@<ServerAddress> SIP/2.0
Via: SIP/2.0/UDP <ServerAddress>:5060;branch=<RandomBranch>;rport
Content-Length: 0
From: <sip:<UserId>@<ServerAddress>>; tag=<RandomTag>
Accept: application/sdp
User-Agent: Asterisk PBX
To: <sip:<UserId>@<ServerAddress>>
Contact: sip:<UserId>@<ServerAddress>
Call-ID: <RandomId>
Max-Forwards: 70

SIP user account password cracking

Registering against a SIP server may require authentication. When the bot receives this command, it also receives a list of user accounts to be cracked. The bot then asks for a list of passwords: the C&C server will return a few dozen passwords to try. For each user account, the bot then tries to register against the targeted SIP server. If the server requires authentication, it will attempt to do so using the passwords received earlier. If a server accepts the registration request, the bot will inform the C&C server it found a valid user account/password combination.

SIP and Web server discovery

For this order, the bot receives a base IP address that may or may not point to a SIP server. This base address as well as the 14 subsequent addresses will be probed to determine if they point to a SIP server or an HTTP server. The results will then be sent back to the C&C.

Asterisk front-end cracking

This last and more recent feature is the one currently being instructed to the bots. Using IP addresses likely collected during a “discovery phase”, the C&C sends the bot a target IP address and about 30 passwords, taken from common password list or dictionaries one can find on the Internet. The bot will then probe the target address and determine if it hosts a FreePBX Web server, a popular open-source suite to manage Asterik PBX servers. If so, the bot will try to connect to a FreePBX Web page (/ or /admin/ or /admin/config.php), eventually authenticating itself using a well-known login name (admin, maint, root, freepbx) the password list. The successful authentication attempts will be sent back to the C&C.

So far, it seems millions of target IPs are being distributed to the bots. They belong to DSL/cable providers, commercial services, universities, etc., and usually point to a Web server. At the current rate, it appears that the entire target address space the gang serves is covered in 5 to 6 hours. This varies based on the size of the Sality botnet of course (the bigger the botnet, the less time it will take to cover one full round of targeted IPs).

The motivation behind these attacks is likely monetary: stolen SIP accounts could be used to place calls to premium numbers registered by the attackers themselves. Cracked FreePBX accounts may yield more dangerous consequences, as these systems control PBX in charge of authenticating users and routing calls to the PSTN or other VoIP servers.

As of February 15th, the C&C server is hosted at an IP in the UK. We have contacted the ISP about this. The communication with bot clients is made over TCP port 2955, but this can change (and has recently changed). Interestingly, the protocol used by the bots shares many characteristics with the Sality peer-to-peer protocol itself, which leaves us little doubt as to which group has created this piece of malicious code.

Our latest definitions detect this SIP cracker as Hacktool.