According to NSS Labs, the trojan interfaces with SIPVicious - the popular bundle of tools designed for auditing SIP (Session Initiation Protocol) based VoIP systems – and allows crooks to to generate unauthorised calls to premium rate numbers or for vishing (voice phishing) scams.
Jayendra Pathak, a researcher with the firm, said that TrojansVOIP downloads and installs the SIPVicious suite that is primarily used to audit SIP based VoIP system.
This is, he says in his latest security posting, a good example on how the toolset developed with good things in mind is misused by malware authors.
“For starters, SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of five tools:
svmap - this is a scanner that lists SIP devices
svwar - identifies active extensions on a PBX
svcrack - an online password cracker for SIP PBX
svreport - manages sessions and exports reports
svcrash - attempts to stop unauthoried svwar/svcrack scans.”
The trojan, says Pathak, is delivered by a drive-by download that redirects the user to the Black Hole exploit kit.
An example of this, he adds, is hxxp://annbortakimcastollvivi.c0m.li/forum.php?tp=6324c408a06dda2b, with the URL being injected as an Iframe to benign sites using obfuscated (hidden) javascript. Then, once a user navigates to a benign site, the Iframe is loaded into the browser and then redirects the user.
The bad news, Infosecurity notes, is that Pathak reports that only one third of industry IT security products were detecting the trojan and exploit when his team first saw the sample in the wild. Six days later – a few days ago - just 50% are detecting it (according to Virus Total)
The NSS Labs researcher says it is interesting that the author made use of other building blocks in the attack, including even downloading the python language interpreter in order to perform the next step of the attack.
“The use of SIPVicious shows that even good tools can be used for malicious purposes”, he notes, adding that attackers can use this utility to make VOIP calls from the victim’s phone.