What is SIP Vicious?

SIP Vicious is a Session Initiation Protocol (SIP) auditing tool that has been observed to be used in increasing reconnaissance attacks against VoIP phones and PBX systems.

This is a result of malicious intent. "Hackers" use this program to probe people's networks and compromise phones. They then attack the phones by ringing them and ultimately get the SIP login information from the phone. They can then use that specific SIP login information and make fraudulent calls on the victim's behalf.

SIPVicious is used as an auditing tool for scanning phone systems by performing INVITE scans silently. However, attackers could use this feature to perform INVITE scans with a call command to determine weak passwords to connect to a particular phone host on the PBX telephony network. Access to such hosts could allow attackers to make free (fraudulent) phone calls through a successful connection, usually internationally and rack up the victim's phone bill.


You can validate one of these attacks if the phone rings with a suspicious caller ID (100, 1000, "Sip Vicious", phantom calls from extensions not listed on the account, or even shown as an IP address) and then if you look in the Intermedia call log it will not show the call. That means the call didn't come through Intermedia servers, and the attackers have found a way into the victim's network.

The customer/victim may attempt to answer the calls, but find there is no one on the other line. This is considered a ghost call.  These calls can come randomly and sporadically, or you may find that they are non-stop and completely disruptive to the customer's phone system and business.

SIPVicious can only be stopped by configuring a router to block SIP signaling from all but a selection of specific IP address ranges. Routers which support access control lists (ACL) can do this. 

Intermedia is not responsible for fixing SIP port scanning attacks and can only make recommendations.  If a customer made an Access Control List (ACL) on their router/gateway that adhered to the IP addresses/ports in the Router/Gateway Requirements KB, allowed access to other necessary services, and implicitly blocked everything else, SIPVicious should not be an issue. 

NOTE:  It is highly recommended that if a customer is suspected of being a victim of SIPVicious, they need to get their ISP and/or IT personnel involved as the "attacker" may have already gained access to their internal network.

Since SIP Vicious attacks are used to gain entry into the VoIP system, if the customer/victim is on SIP Trunking, we recommend updating their trunk passwords once they have secured their network.  This is necessary as the attacker may have already gained this information and would no longer need to access the victim's network to do fraud calling.