[VoiceOps] VoIP Botnet Dirty Analysis & Speculation

J. Oquendo sil at infiltrated.net
Tue Mar 15 09:19:36 EDT 2011 

Apologies for the cross-posting to lists (VoIPSA + VoiceOPS) but I
thought readers would find the information interesting. While not that
big of a deal, figured I'd ramble on a bit and make some noise on-list
to keep everyone awake/on_yer_toes via way of security/compromises. So
one of my Asterisk machines (public facing of course) gets owned
yesterday. Its alright with me, its configured with the phorensix
honeypot so I'm not concerned it was owned, but a few peculiarities hit me:

1) I had no account named asterisk on the machine
2) Seven unique addresses dialing the same number - all addresses are
hosting providers: (cleaned up CDR for clarity)

asterisk 00442070661000 default asterisk <asterisk> 50.28.8.166 Playback
your-account 2011-03-14 23:57:12 2011-03-14 23:57:13 2011-03-14 23:57:13
1,0 ANSWERED DOCUMENTATION
asterisk 00442070661000 default asterisk <asterisk> 216.14.117.32
Playback your-account 2011-03-15 00:34:29 2011-03-15 00:34:30 2011-03-15
00:34:30 1,0 ANSWERED DOCUMENTATION
asterisk 011442070661000 default asterisk <asterisk> 69.57.170.30
Playback your-account 2011-03-15 01:51:24 2011-03-15 01:51:25 2011-03-15
01:51:25 1,0 ANSWERED DOCUMENTATION
asterisk 900442070661000 default asterisk <asterisk> 174.132.230.26
Playback your-account 2011-03-15 02:30:24 2011-03-15 02:30:25 2011-03-15
02:30:25 1,0 ANSWERED DOCUMENTATION
asterisk 9442070661000 default asterisk <asterisk> 174.132.230.26
Playback your-account 2011-03-15 03:47:51 2011-03-15 03:47:52 2011-03-15
03:47:52 1,0 ANSWERED DOCUMENTATION
asterisk 000011442070661000 default asterisk <asterisk> 216.14.117.32
Playback your-account 2011-03-15 05:09:12 2011-03-15 05:09:13 2011-03-15
05:09:13 1,0 ANSWERED DOCUMENTATION
asterisk 0011442070661000 default asterisk <asterisk> 69.16.243.1
Playback your-account 2011-03-15 05:50:45 2011-03-15 05:50:46 2011-03-15
05:50:46 1,0 ANSWERED DOCUMENTATION
asterisk 8011442070661000 default asterisk <asterisk> 67.225.225.68
Playback your-account 2011-03-15 06:33:56 2011-03-15 06:33:57 2011-03-15
06:33:57 1,0 ANSWERED DOCUMENTATION
asterisk 0442070661000 default asterisk <asterisk> 205.234.252.143
Playback your-account 2011-03-15 07:17:32 2011-03-15 07:17:33 2011-03-15
07:17:33 1,0 ANSWERED DOCUMENTATION

3) I'm betting this is not automated:

First call, fail, second call is made 37 minutes later, fail. Third call
comes in 1:17 after the second (fail) with the next call 39 minutes and
so on. I thought of the possibility of automation (if, then, else) but
the timing between calls make little sense. Wish I had a data
munching/crunching application similar to Maltego with telecom
capabilities to make sense of some of the endpoints (numbers dialed.)
I'm willing to bet a cup of coffee that this is one individual (group)
with likely some form of botnet or (pseudo) complex controlling
mechanism that initially needs intervention and once set, would spit out
thousands of calls.

I'm curious to know how many others are seeing "asterisk" in
active/passive attacks. I've had clients with ATAs complain "someone is
calling me @ 4am with a weird caller ID (asterisk)." Anyone care to shed
some light on this potential attack vector. (asterisk) Things to keep in
mind on this: I have NO USER named asterisk on that box (not even in my
honeypot application) but *somehow*, someone placed a call with that
username. Remote exploit maybe, compromised ATA, who knows. Anyhow,
They've all become entries for the blacklist for those using the list
(vabl). Just wanted to get the info out as I'm leaning towards
someone/somegroup with some form of meshed/interlinked C&C of sorts
aimed at Asterisk deployments.


50.28.8.166 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7
| 32244 | 50.28.0.0/17 | LIQUID-WEB-INC | US | LIQUIDWEB.COM | LIQUID
WEB INC | 011442070661000
216.14.117.32 | ADN | VABL | 201100314 |
83fdfc21afed8786fcf4c09fd06672f7 | 46433 | 216.14.117.0/24 | ADF01 | US
| EBOUNDHOST.COM | EBOUNDHOST.COM | 011442070661000
69.57.170.30 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7
| 25653 | 69.57.160.0/19 | FORTRESSITX | US | EMLBASE.ORG | CIRTEX-CORP
| 011442070661000
174.132.230.26 | ADN | VABL | 201100314 |
83fdfc21afed8786fcf4c09fd06672f7 | 21844 | 174.132.0.0/15 | THEPLANET-AS
| US | THEPLANET.COM | THEPLANET.COM INTERNET SERVICES INC | 011442070661000
174.132.230.26 | ADN | VABL | 201100314 |
83fdfc21afed8786fcf4c09fd06672f7 | 21844 | 174.132.0.0/15 | THEPLANET-AS
| US | THEPLANET.COM | THEPLANET.COM INTERNET SERVICES INC | 011442070661000
216.14.117.32 | ADN | VABL | 201100314 |
83fdfc21afed8786fcf4c09fd06672f7 | 46433 | 216.14.117.0/24 | ADF01 | US
| EBOUNDHOST.COM | EBOUNDHOST.COM | 011442070661000
69.16.243.1 | ADN | VABL | 201100314 | 83fdfc21afed8786fcf4c09fd06672f7
| 32244 | 69.16.224.0/19 | LIQUID-WEB-INC | US | LIQUIDWEB.COM | LIQUID
WEB INC | 011442070661000
67.225.225.68 | ADN | VABL | 201100314 |
83fdfc21afed8786fcf4c09fd06672f7 | 32244 | 67.225.192.0/18 |
LIQUID-WEB-INC | US | LIQUIDWEB.COM | LIQUID WEB INC | 011442070661000
205.234.252.143 | ADN | VABL | 201100314 |
83fdfc21afed8786fcf4c09fd06672f7 | 40913 | 205.234.0.0/16 | QTS-SJC-1 |
US | HOSTFORWEB.COM | HOSTFORWEB INC | 011442070661000

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

More information about the VoiceOps mailing list