Defcon: VoIP makes a good platform for controlling botnets

Botnets and their masters can communicate with each other by calling into the same VoIP conference call and swapping data using touch tones

LAS VEGAS -- Botnets and their masters can communicate with each other by calling into the same VoIP conference call and swapping data using touch tones, researchers demonstrated at Defcon.

This gives the botmasters -- whose top goals include remaining anonymous -- the ability to issue orders from random payphones and disposable wireless handsets, say researchers Itzik Kotler and Iftach Ian Amit of security and risk-assessment firm Security Art.

DEFCON: The lesson of Anonymous? Corporate security sucks

Using phones and the public phone networks eliminates one of the prime tools bot fighters have: taking down the domains of botnets' command and control servers, the researchers say. If the botmaster isn't using a command and control server, it can't be taken down.

In fact, the botmaster can communicate with the zombie machines that make up the botnet without using the Internet at all if the zombies are within a corporate network. So even if a victim company's VoIP network is segregated from the data network, there is still a connection to the outside world.

In addition to its stealth, the VoIP tactic employs technology that readily pierces corporate firewalls and uses only traffic that is difficult for data loss prevention software to peer into. The traffic is streamed audio, so data loss prevention scanners can't recognize patterns of data they are supposed to filter, the researchers say.

The downsides of VoIP as a command channel are that it severely limits the number of zombie machines that can be contacted at once, and the rate at which stolen data can be sent out of a corporate network is limited by the phone system. But Kotler and Amit say the connections are plenty big to send commands in.

During their demo at the conference, the pair had an Asterisk open source IP PBX stand in as the corporate PBX. A virtual machine representing a zombie computer on a corporate network called via TCP/IP through the PBX and into a corporate conference call. A BlackBerry, representing the botmaster dialed in over the public phone network to the same conference call.

The researchers then used Moshi Moshi open source software to communicate between the botmaster phone and the zombie machine. Moshi Moshi includes a translator that converts commands into DTMF touch tones as input, and converts stolen data from text to speech for output. The resulting voice traffic is phoned into a voice mailbox that the botmaster can pick up whenever it's convenient.

One tricky part is configuring the PBX to allow DTMF tones to pass through into the conference. Another is that the botmaster has to create a DTMF-based language that the bots are programmed to understand.

The researchers say their demonstration was merely a proof of concept, and that it could work much better with refinements. For instance, incorporating modem technology into the scheme could result in faster exfiltration rates than sending speech-generation voicemails.

To defend against this type of VoIP abuse, Kotler and Amit recommend separating VoIP from the corporate network altogether in order to prevent compromised computers from tapping into conference calls. They recommend monitoring VoIP activity to discover unauthorized use of conference calls, say, after business hours. And they say conference calls should be white-listed -- allowing access only from authorized IP addresses and phone numbers.

Read more about wide area network in Network World's Wide Area Network section.

Join the PC World newsletter!

Error: Please check your email address.

Tags unified communicationsDefcontelecommunicationsecurityNetworkingvoip

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?