VoIP could hide botnets

The Communications Research Network (CRN), composed of researchers from Cambridge and the Massachusetts Institute of Technology, says that VoIP networks could conceal botnets. Thousands of remotely-controlled computers - sometimes called bots or zombie computers - could be concealed and controlled through VoIP's distributed network. Botnets have previously been used to send spam or extort money from websites.

There have been several recent cases where hackers have demanded money from popular websites, in return for not unleashing a torrent of traffic against the site. While there has been no botnet has been publicly discovered hiding in VoIP, researchers say that it is only a "matter of time" before an inventive hacker figures it out.

VoIP packets are transmitted and routed through the Internet as IP packets. Often encrypted and sometimes using proprietary protocols, these packets, according to Jon Crowcroft, CRN researcher and Cambridge Professor of Communication Systems, believes that VoIP applications could provide "excellent cover" for launching denial of service attacks with botnets.

Botnets are formed when hackers exploit vulnerabilities and take over a computer. The computer sits dormant, but sometimes logs into an Internet Relay Chat (IRC) chatroom to contact a master computer that is controlled by a hacker. One bot generally cannot do much, but thousands or millions of such computers could unleash a flood of traffic that can slow or even disconnect a website from the Internet. In the past, hackers have successfully extorted money by demanding money from popular websites in return for not flooding the site with traffic.

Back in October, Dutch police broke up a hacker group who had remote control of more than 1.5 million computers. Using the "Toxbot" trojan to take control of the computers, the group had threatened a United States firm with a denial of service attack. Members were arrested after Dutch ISP XS4ALL notified the police about an unusually high amount of traffic traversing their networks. In another recent case, the Million Dollar homepage - a webpage that makes money by selling pixels on the page - was temporally knocked off the Internet after the site owner balked at paying an extortion demand.

Perhaps directed at Skype, the VoIP application used by millions, Crowcroft suggests that proprietary VoIP vendors should open up their protocols. By publishing their routing specifications and switching over to public protocols, VoIP companies, according to Crowcroft, could let authorities better track the data. In addition, he thinks that ISP's could more efficiently route VoIP if their network engineers could examine how the packets route.

CRN Chairman, David Cleevely, thinks that a centralized VoIP vulnerability database page may help to warn users about such threats. Major anti-virus vendors, like Symantec and Sophos, have virus databases where people can submit and lookup virus information. They also list trends and the most harmful viruses that are running around or "in the wild". Cleevly thinks that the same should be done for VoIP vulnerabilities and adds, "the more we share information between us, the more we stay ahead of the game."