Monthly Archives: August 2009

Skype Trojan Records Your Calls

Apparently there’s a new piece of malware floating around that targets audio processors like Skype:

The Trojan has the ability to record audio from the computer — including any Skype calls in progress — and store the files locally in an encrypted MP3 file, where they can later be transmitted to the attacker.

The Trojan, which Symantec calls Trojan.Peskyspy, can be downloaded to a computer by tricking the user with an email scam or other social engineering tactic, Symantec says. Once a machine has been compromised, the threat can exploit an application that handles audio processing within a computer and save the call data as an MP3 file.

Something Old, Something New: Nmap’s VoIP Fingerprinting

Over time, it’s easy to become a bit out of touch with security tools. With new tools arriving on the scene daily, and updates to established tools occurring frequently, the deluge of information can be overwhelming; not to mention all of the other security fodder we process.

That said, I find it encouraging to revisit some of the really established tools to see what changes and improvements are in place. Nmap is without a doubt the classic security tool in every aspect, from quality, to longevity, to street credibility. Even Hollywood has clue when it comes to Nmap, as evidenced in Matrix, Bourne, and Die Hard films with Nmap showing up on someone’s computer screen!

One of my favorite Nmap features is the OS Identification and Application Fingerprinting capabilities. In part, this type of identification relies on the Nmap community scanning known devices and submitting signatures to be added to the Nmap databases (service probes, OS, etc.).

As of 21 July, 2009, the Nmap OS database has the following VoIP device Fingerprints:

    Fingerprint Alcatel 4035 VoIP phone
    Fingerprint Sirio by Alice VoIP phone
    Fingerprint AudioCodes Mediant 1000 VoIP gateway
    Fingerprint Audiocodes MP-114 or MP-118 VoIP gateway
    Fingerprint Avaya G350 Media Gateway (VoIP gateway)
    Fingerprint Avaya Office IP403 VoIP gateway
    Fingerprint Avaya Office IP500 VoIP gateway
    Fingerprint Aastra 480i GT or 9133i IP phone
    Fingerprint Inter-tel 8662 VoIP phone
    Fingerprint Comtrend CT-800 VoIP gateway
    Fingerprint D-Link DVG-4022S VoIP gateway
    Fingerprint Grandstream HandyTone HT-488 analog VoIP adapter
    Fingerprint Grandstream BudgeTone 100 VoIP phone
    Fingerprint Grandstream BudgeTone 100 VoIP phone
    Fingerprint Grandstream GXP2000 VoIP phone
    Fingerprint Grandstream GXP2020 VoIP phone
    Fingerprint Thomson ST 2020 or 2030 VoIP phone
    Fingerprint Interbell IB-305 VoIP phone
    Fingerprint Linksys PAP2T VoIP router
    Fingerprint Linksys SPA901 or SPA921 SIP VoIP phone
    Fingerprint Linksys SPA942, SPA962, or SPA9000 VoIP phone; SPA3102 VoIP gateway; or Sipura SPA-2100 or SPA-2101 VoIP adapter
    Fingerprint Mitel 3300 CXi VoIP PBX
    Fingerprint Netcomm V300 VoIP gateway
    Fingerprint Neuf Box Trio3D DSL modem/router/VoIP/TV
    Fingerprint Nortel CS1000M VoIP PBX or Xerox Phaser 8560DT printer
    Fingerprint Patton SmartNode 4960 VoIP gateway (SmartWare 4.2)
    Fingerprint Perfectone IP-301 VoIP phone
    Fingerprint Planet VIP-154T VoIP phone (MicroC/OS-II)
    Fingerprint Polycom SoundPoint IP 301 VoIP phone
    Fingerprint Polycom SoundPoint IP 301 VoIP phone
    Fingerprint Polycom SoundPoint IP 430 VoIP phone
    Fingerprint PORTech GSM VoIP gateway
    Fingerprint PORTech MV-374 GSM-SIP VoIP gateway
    Fingerprint Samsung OfficeServ 7200 VoIP gateway
    Fingerprint ShoreTel ShoreGear-T1 VoIP switch
    Fingerprint Siemens HiPath optiPoint 400 VoIP phone
    Fingerprint Sipura SPA-1001 or SPA-3000 VoIP adapter
    Fingerprint Sipura SPA-3000 VoIP adapter
    Fingerprint Thomson Symbio VoIP phone
    Fingerprint Vegastream Vega 400 VoIP Gateway

Also, it’s well worth taking a look at the VoIP devices identified in the Nmap Service Probes database as services that identify a VoIP device do not necessarily mean that the VoIP device has a fingerprint. In other words, there are VoIP devices in the Service Probes database that are not in the OS Fingerprint database, so look carefully!

For even more coolness, be sure to check out the NSE.

Wrapping-up, I’ve nothing less than mad props for Fyodor and all of the other folks who’ve contributed to this fantastic tool. Nmap was one of the first tools I used 10 years ago when first cutting my teeth in security, and remarkably, is a tool that I continue to use almost daily.

First 911 Center to support SMS

Recently multiple news outlets reported on Waterloo, Iowa’s Black Hawk County 911 center’s new SMS capability.

While this subject is not specifically VoIP security, considering the blending of communications methods and the importance of 911 call centers I figure that SMS in this context is fair game for a VOIPSA Blog post.

Several security implications surrounding this new 911 SMS capability come to mind:

Time Delays in SMS transmissions – we’ve all experienced some delay, from marginal to extended, when it comes to sending and receiving SMS messages. What remains unclear from reports is if the carriers supporting 911 SMS in Black Hawk County give SMS to 911 communication priority network access, either initially and/or throughout the entire SMS dialog.

Lingo – SMS messages are limited to 160 characters. As a result, acronyms and texting lingo are pervasive. Reports say the 911 operators are brushing up on their texting lingo in preparation. I sure do hope they are using decent resources, such as TLLTMSIFW, so when HIOOC comes in IDGARA is the right response.

Flooding – sending mass amounts of SMS messages could adversely affect the call center’s operations. Using pre-paid phones, bluetooth dongles and simple software, an attacker with marginal resources could initiate this kind of attack with ease. How will 911 call centers handling SMS handle floods of SMS messages? The nuisance facter here should not be underestimated; here’s some good anecdotal experience

SMS Spoofing – with the advent of various spoofing services, we’ve seen the types of attacks that can leverage spoofing. SpoofCard time and again has unauthorized access to voicemail, and still an issue with some carrier’s default user settings. We can expect to see the same issues with SMS spoofing.

SMS Swatting – will likely be a byproduct of spoofing SMS messages to 911 call centers. However, the use of SMS brings a new twist to Swatting, since the spoofed SMS message will be tied to a cellular phone, rather than a fixed landline number, perhaps leading to mobile Swatting as law enforcement will need to track the mobile phone (GPS, triangulation) to gain physical proximity the the SMS origin.

MMS – while no mention is made in the news reports about MMS support at 911 call centers, I think it’s reasonable to assume that ability to handle multimedia messages is in the works. The implications of moving from 160 characters of text to multimedia messaging with attached video/photos are dramatic. Further, this opens new attack vectors in terms of how these multimedia files are processed and accessed (think trojan Flash, PNG, etc.).

I’ve only scratched the surface here of course, but hopefully this provides some food for thought — as always, comments welcome 🙂