[VOIPSEC] VoIP Botnet Dirty Analysis & Speculation

Tue Mar 15 17:45:34 CDT 2011

J. Oquendo wrote:
> Apologies for the cross-posting to lists (VoIPSA + VoiceOPS) but I
> thought readers would find the information interesting. While not that
> big of a deal, figured I'd ramble on a bit and make some noise on-list
> to keep everyone awake/on_yer_toes via way of security/compromises. So
> one of my Asterisk machines (public facing of course) gets owned
> yesterday. Its alright with me, its configured with the phorensix
> honeypot so I'm not concerned it was owned, but a few peculiarities hit me:
> 
> 1) I had no account named asterisk on the machine
> 2) Seven unique addresses dialing the same number - all addresses are
> hosting providers: (cleaned up CDR for clarity)
> 
> asterisk 00442070661000 default asterisk <asterisk> 50.28.8.166 Playback
> your-account 2011-03-14 23:57:12 2011-03-14 23:57:13 2011-03-14 23:57:13
> 1,0 ANSWERED DOCUMENTATION
> asterisk 00442070661000 default asterisk <asterisk> 216.14.117.32
> Playback your-account 2011-03-15 00:34:29 2011-03-15 00:34:30 2011-03-15
> 00:34:30 1,0 ANSWERED DOCUMENTATION
> asterisk 011442070661000 default asterisk <asterisk> 69.57.170.30
> Playback your-account 2011-03-15 01:51:24 2011-03-15 01:51:25 2011-03-15
> 01:51:25 1,0 ANSWERED DOCUMENTATION
> asterisk 900442070661000 default asterisk <asterisk> 174.132.230.26
> Playback your-account 2011-03-15 02:30:24 2011-03-15 02:30:25 2011-03-15
> 02:30:25 1,0 ANSWERED DOCUMENTATION
> asterisk 9442070661000 default asterisk <asterisk> 174.132.230.26
> Playback your-account 2011-03-15 03:47:51 2011-03-15 03:47:52 2011-03-15
> 03:47:52 1,0 ANSWERED DOCUMENTATION
> asterisk 000011442070661000 default asterisk <asterisk> 216.14.117.32
> Playback your-account 2011-03-15 05:09:12 2011-03-15 05:09:13 2011-03-15
> 05:09:13 1,0 ANSWERED DOCUMENTATION
> asterisk 0011442070661000 default asterisk <asterisk> 69.16.243.1
> Playback your-account 2011-03-15 05:50:45 2011-03-15 05:50:46 2011-03-15
> 05:50:46 1,0 ANSWERED DOCUMENTATION
> asterisk 8011442070661000 default asterisk <asterisk> 67.225.225.68
> Playback your-account 2011-03-15 06:33:56 2011-03-15 06:33:57 2011-03-15
> 06:33:57 1,0 ANSWERED DOCUMENTATION
> asterisk 0442070661000 default asterisk <asterisk> 205.234.252.143
> Playback your-account 2011-03-15 07:17:32 2011-03-15 07:17:33 2011-03-15
> 07:17:33 1,0 ANSWERED DOCUMENTATION
> 
> 3) I'm betting this is not automated:
> 
> First call, fail, second call is made 37 minutes later, fail. Third call
> comes in 1:17 after the second (fail) with the next call 39 minutes and
> so on. I thought of the possibility of automation (if, then, else) but
> the timing between calls make little sense. Wish I had a data
> munching/crunching application similar to Maltego with telecom
> capabilities to make sense of some of the endpoints (numbers dialed.)
> I'm willing to bet a cup of coffee that this is one individual (group)
> with likely some form of botnet or (pseudo) complex controlling
> mechanism that initially needs intervention and once set, would spit out
> thousands of calls.
> 
> I'm curious to know how many others are seeing "asterisk" in
> active/passive attacks. I've had clients with ATAs complain "someone is
> calling me @ 4am with a weird caller ID (asterisk)." Anyone care to shed
> some light on this potential attack vector. (asterisk) Things to keep in
> mind on this: I have NO USER named asterisk on that box (not even in my
> honeypot application) but *somehow*, someone placed a call with that
> username. Remote exploit maybe, compromised ATA, who knows. Anyhow,
> They've all become entries for the blacklist for those using the list
> (vabl). Just wanted to get the info out as I'm leaning towards
> someone/somegroup with some form of meshed/interlinked C&C of sorts
> aimed at Asterisk deployments.
> 
> 
> 50.28.8.166 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7
> | 32244 | 50.28.0.0/17 | LIQUID-WEB-INC | US | LIQUIDWEB.COM | LIQUID
> WEB INC | 011442070661000
> 216.14.117.32 | ADN | VABL | 201100314 |
> 83fdfc21afed8786fcf4c09fd06672f7 | 46433 | 216.14.117.0/24 | ADF01 | US
> | EBOUNDHOST.COM | EBOUNDHOST.COM | 011442070661000
> 69.57.170.30 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7
> | 25653 | 69.57.160.0/19 | FORTRESSITX | US | EMLBASE.ORG | CIRTEX-CORP
> | 011442070661000
> 174.132.230.26 | ADN | VABL | 201100314 |
> 83fdfc21afed8786fcf4c09fd06672f7 | 21844 | 174.132.0.0/15 | THEPLANET-AS
> | US | THEPLANET.COM | THEPLANET.COM INTERNET SERVICES INC | 011442070661000
> 174.132.230.26 | ADN | VABL | 201100314 |
> 83fdfc21afed8786fcf4c09fd06672f7 | 21844 | 174.132.0.0/15 | THEPLANET-AS
> | US | THEPLANET.COM | THEPLANET.COM INTERNET SERVICES INC | 011442070661000
> 216.14.117.32 | ADN | VABL | 201100314 |
> 83fdfc21afed8786fcf4c09fd06672f7 | 46433 | 216.14.117.0/24 | ADF01 | US
> | EBOUNDHOST.COM | EBOUNDHOST.COM | 011442070661000
> 69.16.243.1 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7
> | 32244 | 69.16.224.0/19 | LIQUID-WEB-INC | US | LIQUIDWEB.COM | LIQUID
> WEB INC | 011442070661000
> 67.225.225.68 | ADN | VABL | 201100314 |
> 83fdfc21afed8786fcf4c09fd06672f7 | 32244 | 67.225.192.0/18 |
> LIQUID-WEB-INC | US | LIQUIDWEB.COM | LIQUID WEB INC | 011442070661000
> 205.234.252.143 | ADN | VABL | 201100314 |
> 83fdfc21afed8786fcf4c09fd06672f7 | 40913 | 205.234.0.0/16 | QTS-SJC-1 |
> US | HOSTFORWEB.COM | HOSTFORWEB INC | 011442070661000
> 

I ran these IP's and I have an exact match on many of them -- Highly 
recommend to blacklist them all.

I caught this in January on a box I have sitting around, though in my 
case it seems to be more of an automated script trying to push tens of 
calls per second. Most of the calls ended with a duration of 13 seconds 
(i guess enough for the script to realize its not getting anywhere).

Jan 04th - 110 calls
Jan 20th - 80 calls

screenshot: http://bit.ly/ibIYUh

If this attacker reached both of us in a period of ~2 months I think its 
safe to assume they had quite a few successful attacks along the way.

Stay safe...
Boaz

-- 
Humbug Telecom Labs, Ltd.
www.humbuglabs.org