[VOIPSEC] Virus/Worms/Trojan attack against VoIP

Ari Takanen voipsa at codenomicon.com
Wed May 10 22:54:54 CDT 2006 

Hello all,

As majority of viruses and worms in VoIP today would exploit
implementation flaws such as buffer overflows, virus attacks against
residential gateways and IP-Phones are definitely possible. It is not
necessary to use "a well known operating system", although that could
help the virus to spread. If you are using Linux on your VoIP-phone
running on x86 platform, any Linux virus variant should do it. If you
are using commercial embedded OS, the worm has to be uniquely targeted
to that operating system. PROTOS research, and Codenomicon testing
tools definitely can show that there have been and still are tens of
these flaws in any VoIP implementation, and in majority of platforms
used today. But these flaws are easily found using robustness testing,
but unfortunately not everyone tests for implementation flaws.

But for majority of today's viruses and worms, we have two basic
requirements:

1) Spreading requires heterogenous environment: Enough implementations
out there for viruses to spread. So a VoIP device running on commonly
used OS would be equally vulnerable to viruses as any other standard
PC running the same OS. But in VoIP, the devices are able to find each
other easily. A VoIP virus would use the contacts list to only attack
VoIP users, so we could focus on measuring the market penetration
only. This enables VoIP specific viruses.

2) Operation requires heterogenous platform: E.g. a standard
Linux/Windows worm would with 99% certainty only run on x86
platforms. "Shellcode" is almost always processor dependent. I have
seen academic research on generic shellcode for any platform and
processor architecture, but this is not common today. I would expect
the underground to study the same topics...

Until now, only PC's have been the only attractive widely spread
heterogenous environment for viruses and worms. Mobile devices and
VoIP are definitely following. Fortunately, majority of these widely
used devices are typically already tested using our testing tools. ;)

Best regards,

/Ari

On Wed, May 10, 2006 at 04:31:35PM -0500, Gupta, Sachin wrote:
> Hi,
>  
> Is anybody aware of the possibility of virus attack on a Resedential
> Gateway / IP Phone, running of a well known Operating system, with Voice
> capabilities ?
> This kind of attack can even remove or change the digital certificates .
> Soft phones may not fall in this category as they run on PCs which may
> have antivirus installed.
>  
> Is this a theoritical attack or anything like this has happened before?
>  
>  
> Sachin
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

-- 
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Tutkijantie 4E
tel: +358-40 50 67678             FIN-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

More information about the Voipsec mailing list