Post Wed May 08, 2013 8:51 am

SIP Vicious

Hi All,
It's been a while since I last posted here, but I've come across an issue that only a community like this can help me with.
The issue is regarding a tool called SIP Vicious. I deliberated whether to put this in the Tools section or the Malware section. Don feel welcome to move the thread if you feel it's in the wrong place.

SIP Vicious is a valid open source SIP auditing tool which has been exploited extensively for malicious intent. I'm not going to go into exactly what the tool can do (you can search for that on your own).

The issue I have is identifying the mailicious traffic and separating it from valid SIP traffic. Until now the only way that I've found to do this is by looking at the user agent. So far I have identified 2 different user agents used by this tool in the field;
1. User-Agent: friendly-scanner
2. User-Agent: sundayddr

My question is - has anyone here ever come across this tool using a different user agent? If yes what was the user agent used? Do you have any references to this on the internet and/or sniffer captures showing this?

I know that as the source code is open anyone can actually download the tool and change the user agent at will if they go into the code before using it, but so far we have only found the 2 user agents mentioned above.
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.