(voip scanning botnet hosted by United States Missoula Sharktech)

I found this recently and though it was interesting enough to post.

It’s a http controlled botnet used to scan for voip servers.

Malware actions
Tells the C&C server it has installed
Requests an ip segement to scan
Downloads and installs python (Needed for the scanner)
IP range to be scanned is confirmed
Unrar utility is downloaded
Scanner is downloaded
The malware extracts the scanning scripts and starts scanning the ip range.

Discovered voip servers are then reported back to the C&C server.

The scanner is an open source python script

The malware is unencrypted and some info can be found from strings in it.
H:Program Files (x86)Microsoft Visual StudioVB98Sip Scannersip_scanner.vbp

Sample here

Hosting infos: 

Categories: Uncategorized


Xander Lawson - December 6, 2012 at 3:44 am

This is why we're very particular about business voip phone security at the office. You can never be too sure these days, especially when it comes to vital or sensitive information.

Anonymous - December 1, 2013 at 12:19 am

hi i am the owner about this domain, and we are not running this malware on our server, not that we know off, just to be sure we have asked our technicians to install a firewall to prevent us from been DDOS because we noticed that competition has done this to us. Please remove your bad comment, also our server isnt hosted on the location you mentioned.

Comments are closed