Security Art | August 2011       Sounds Like BotnetItzik Kotler, Chief Technology OfficerIftach Ian Amit, VP Consulting   ...
Intro to VoIP• It’s everywhere  – Home (Vonage, Skype, TeamSpeak, Comcast,    etc…)  – Office (Cisco, Avaya, Lucent, Aster...
Overview of SIP• Request/Response model• Responsible for setup/teardown of  voice/video calls• Designed to allow “piercing...
VoIP as a Getaway Car• So… VoIP can traverse firewalls easily• And can go outside the corporate network  over PSTN lines (...
What is a VoIP Botnet•   Take your good ol’e botnet•   Disconnect all C&C channels•   Replace with VoIP•   Profit?• Fully ...
Who Needs a VoIP Botnet• Well, everyone…• Botmaster is more mobile (literally)• More anonymous C&C servers (conf call brid...
VoIP Botnet in Action• Red Team Penetration Testing Engagement• Botnet in No Internet/Closed Networks• Botnet for VoIP Pho...
VoIP Botnet Architecture• Telephony systems allows both Unicast and  Multicast communication• Unicast:  – Bot calls Bot Ma...
VoIP Botnet Architecture• Conference Call as “IRC Channel”        Bot                                       Bot  Bot      ...
The Call• Calling can be made via TCP/IP or PSTN                      Bot/Bot Master    PSTN/VoIP Trunk                   ...
Moshi Moshi• Open-source VoIP Bot written in Python  – Uses SIP as VoIP Protocol  – Uses Text-to-speech Engines for Output...
Press 1 to Continue in l33t Speak• DTMF (Dual-tone multi-frequency signaling)  are used for signaling over telephone lines...
Asterisk as C&C and DTMF• Asterisk is free software that transforms a  computer into a communication server• We’re using A...
DTMF Pass through/Relaying• Conf. Call to relay DTMF to other calls                                                Bot A  ...
DTMF Tones as C&C• The (made-up) Rules  – ‘*’ is End of Line (EOL)  – ‘#’ is a delimiter (i.e. Space)• Examples  – ‘0#*’ i...
Ring, Ring!
Text-to-Speech as Data Leakage• Its only natural that since we don’t have visuals  in phone conversation, to use voice• Pa...
Talk to me… Woo hoo!
The Getaway: Modulation• Take any arbitrary binary data• Devise a way to transform bytes to sounds  – PoC: every ½ byte  ...
Demo: Binary Data Modulation -> Data             Exfiltration• Transform data to sound• Dial, leave a message…• Transform ...
ET Phone Home!
VoIP as VPN• Alternative unmonitored Internet access  – No DLP  – No Firewalls  – No IDS/IPS/DPI• Allows using already-exi...
TCP/IP over VoIP• Bring back Modems to the game• Use V.42/HDLC/PPP protocols                      • Works with Hardware Mo...
Did You Hear That?• VoIP Botnets are as good and even better in  some cases, than IRC, P2P, and HTTP Botnets.• VoIP Botnet...
Countermeasures• Separate VoIP from Corporate Network  – Yes, COMPLETELY!• Monitor VoIP Activity  – It’s your data. Same a...
The Future Sound of Botnets• Hearing is Believing  – Speech-to-Text as Input• Going Mobile  – Text-to-SMS as Output  – SMS...
Questions?Itzik Kotler (itzik.kotler@security-art.com)Iftach Ian Amit (iamit@security-art.com)
Thanks!Itzik Kotler (Twitter: @itzikkotler)Iftach Ian Amit (Twitter: @iiamit)
Upcoming SlideShare
Loading in …5
×

Sounds Like Botnet

955
-1

Published on

VoIP is one of the most widely-used technologies among businesses and, increasingly, in households. It represents a combination of Internet technology and phone technology that enhances and expands the possibilities of both. One of these possibilities involves using it for botnet command and control infrastructure and a data exfiltration vector.

The concept of VoIP Botnet is to operate in closed networks with limited access and the potential of censorship using everyday telecommunication and telephony services such as voicemail, conference calls, voice and signaling information.

Moshi Moshi is a proof of concept VoIP Botnet that allows the operator to dial in from a pay phone or mobile phone, and get shell access and exfiltrate data from the bots.

This presentation will discuss and demonstrate the use of VoIP technology to create "Moshi Moshi," we also explore some interesting properties of VoIP based botnet.

Additionally, we will discuss mitigating factors and ways that VoIP providers should implement in order to prevent further VoIP abuse.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
955
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sounds Like Botnet

  1. 1. Security Art | August 2011 Sounds Like BotnetItzik Kotler, Chief Technology OfficerIftach Ian Amit, VP Consulting www.security-art.com
  2. 2. Intro to VoIP• It’s everywhere – Home (Vonage, Skype, TeamSpeak, Comcast, etc…) – Office (Cisco, Avaya, Lucent, Asterisk, etc…)• Easy to deploy – Most are “plug and talk” with fancy web interfaces to configure features such as voicemail, forwarding, conference calls, etc…
  3. 3. Overview of SIP• Request/Response model• Responsible for setup/teardown of voice/video calls• Designed to allow “piercing” of firewalls, NAT, etc…• Security? meh… (basic identification, usually not required in most PBXs, easily sniffed…)
  4. 4. VoIP as a Getaway Car• So… VoIP can traverse firewalls easily• And can go outside the corporate network over PSTN lines (no internetz needed…)• And is rarely monitored (“can you hear me now” ain’t gonna pass through the DLP…)• EXFILTRATE!
  5. 5. What is a VoIP Botnet• Take your good ol’e botnet• Disconnect all C&C channels• Replace with VoIP• Profit?• Fully mobilized (NAT piercing)• Looks more legit (try to pick THAT out of the traffic)• Harder to peek into (can you spell “whazzzzup?” in RTP?)
  6. 6. Who Needs a VoIP Botnet• Well, everyone…• Botmaster is more mobile (literally)• More anonymous C&C servers (conf call bridge numbers are aplenty…)• Can actually transfer fair amounts of data back/forth (remember the modem days?)• It’s starting to show up as alternative methods of covert communications – Sorry spooks… 
  7. 7. VoIP Botnet in Action• Red Team Penetration Testing Engagement• Botnet in No Internet/Closed Networks• Botnet for VoIP Phones
  8. 8. VoIP Botnet Architecture• Telephony systems allows both Unicast and Multicast communication• Unicast: – Bot calls Bot Master – Bot Master calls Bot (registered ext. on his PBX)• Multicast: – Bot A calls Conference Call – Bot B calls Conference Call – Bot Master joins Conference Call
  9. 9. VoIP Botnet Architecture• Conference Call as “IRC Channel” Bot Bot Bot Conference Call Master Bot
  10. 10. The Call• Calling can be made via TCP/IP or PSTN Bot/Bot Master PSTN/VoIP Trunk TCP/IP (SIP, H.323,…) Conference Call
  11. 11. Moshi Moshi• Open-source VoIP Bot written in Python – Uses SIP as VoIP Protocol – Uses Text-to-speech Engines for Output – Uses DTMF Tones for Input• Download your copy at: – http://code.google.com/p/moshimoshi/
  12. 12. Press 1 to Continue in l33t Speak• DTMF (Dual-tone multi-frequency signaling) are used for signaling over telephone lines in the voice-frequency band between telephone handsets and other devices and switching centers.• DTMF tones are standardized and can be sent and received from any phone
  13. 13. Asterisk as C&C and DTMF• Asterisk is free software that transforms a computer into a communication server• We’re using AsteriskNow 1.7.1 Linux Distribution• MeetMe is a conference bridge for Asterisk and supports passing DTMF through the conference.• To pass DTMF through the conference add ‘F’ option to MEETME_OPTS at extensions.conf
  14. 14. DTMF Pass through/Relaying• Conf. Call to relay DTMF to other calls Bot A Bot A: Heard 1# Pressed 1# Bot Conference Call Bot B Master Bot B: Heard 1# Bot C Bot C: Heard 1#
  15. 15. DTMF Tones as C&C• The (made-up) Rules – ‘*’ is End of Line (EOL) – ‘#’ is a delimiter (i.e. Space)• Examples – ‘0#*’ invoke command 0 without arguments – ‘1#123#*’ invoke command 1 with one arg ‘123’ – ‘2#1#2#*’ invoke command 2 with args ‘1’ and ‘2’• It’s your rules – go wild…
  16. 16. Ring, Ring!
  17. 17. Text-to-Speech as Data Leakage• Its only natural that since we don’t have visuals in phone conversation, to use voice• Passwords, documents, settings and acknowledgements can all be read back• Some systems (Mac, Windows) includes built-in Text-to-Speech engines, others requires installation• External utilities can be used to convert different formats (e.g. Microsoft Word) into simpler text files
  18. 18. Talk to me… Woo hoo!
  19. 19. The Getaway: Modulation• Take any arbitrary binary data• Devise a way to transform bytes to sounds – PoC: every ½ byte  one of 16 octaves within the human audible range (~200Hz - ~2000Hz)• Record each ½ byte octave – PoC uses ½ second tones (for legibility in a conference )• Music to my ears…
  20. 20. Demo: Binary Data Modulation -> Data Exfiltration• Transform data to sound• Dial, leave a message…• Transform recorded message to data• Profit?
  21. 21. ET Phone Home!
  22. 22. VoIP as VPN• Alternative unmonitored Internet access – No DLP – No Firewalls – No IDS/IPS/DPI• Allows using already-existing C&C protocols – IRC – HTTP• Bot Master can easily explore his Botnet – nmap –sS 10.0.0.0/8
  23. 23. TCP/IP over VoIP• Bring back Modems to the game• Use V.42/HDLC/PPP protocols • Works with Hardware Modems TCP • Works with Software Modems IP • Works within Voice frequency band V.42/HDLC/PPP • Works under poor connectivity conditions SIP/RTSP • Two-way communication channel UDP IP
  24. 24. Did You Hear That?• VoIP Botnets are as good and even better in some cases, than IRC, P2P, and HTTP Botnets.• VoIP Botnets strengths: – Can be operated from a payphone, or a Mobile. – Can be accessed from both PSTN and Internet – Are not blocked by your typical IDS/IPS signatures
  25. 25. Countermeasures• Separate VoIP from Corporate Network – Yes, COMPLETELY!• Monitor VoIP Activity – It’s your data. Same as you do for web/emails…• Consider whitelisting Conf. Call Numbers
  26. 26. The Future Sound of Botnets• Hearing is Believing – Speech-to-Text as Input• Going Mobile – Text-to-SMS as Output – SMS-to-Voice Calls as Input• Meeting new Appliances – T.38 (Fax) as Output (e.g. “Screen Shots”)• Meeting old Appliances – Modem (PPP) as Input/Output (e.g. “Internal VPN”)
  27. 27. Questions?Itzik Kotler (itzik.kotler@security-art.com)Iftach Ian Amit (iamit@security-art.com)
  28. 28. Thanks!Itzik Kotler (Twitter: @itzikkotler)Iftach Ian Amit (Twitter: @iiamit)
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×