Researchers at NSS Labs claim that they’ve spotted attacks that use Sipvicious, a common auditing tool for Voice over IP (VoIP) networks as part of malicious attacks aimed at taking control of vulnerable VoIP servers. The attacks are apparently aimed at taking control of VoIP servers to place unauthorized calls. 

A description of the attacks, posted on the NSS blog on Wednesday, says that researchers at NSS have witnessed the Sipvicious tool installed by a Trojan downloader program on systems, most of which had first been compromised in drive by Web site attacks. The attacks use a known Trojan, jqs.exe, and connect to command and control servers to receive instructions on downloading instructions as well as the sipvicious tool from a .cc domain. After installation, Sipvicious is run and scan for SIP devices on the compromised computer’s network and then to launch brute force attacks to guess the administrative password on those systems. 

SIP – or Session Initiation Protocol – is an IETF approved protocol that’s used for managing communication sessions including voice- and video-over-IP, instant messaging, file transfer and video conferencing. Though its name suggests otherwise, the Sipvicious program is a mainstream auditing too for VoIP systems. The tool is intended to aid administrators in evaluating the security of their SIP-based servers and devices.  

Rick Moy, the founder of NSS Labs, said the latest attacks seem designed to create a base from which attackers can make VoIP calls from the victim’s phone or VoIP infrastructure. Those calls might be used to rack up charges on premium rate numbers controlled by the attackers, or as part of voice phishing (vishing) scams that target unwitting consumers. 
Moy said the attack shows that even “good tools” can be used for malicious purposes. 
Attacks on VoIP infrastructure are becoming more common and are often traced back to underlying vulnerabilities in VoIP infrastructure. To date, there have been some arrests. In December, authorities in Romania disrupted a criminal group that was accused of hacking VoIP servers and using them to place bogus calls to premium numbers

Categories: Vulnerabilities, Web Security