Botnet maps the entire internet
Contributed by: Email on 10/09/2012 02:39 PM
[
Comments
]
In February 2011, the Sality botnet apparently went through the entire IPv4 address space in search of Voice-over-IP (VoIP) endpoints that could be corrupted. Researchers at the University of California, San Diego (UCSD) and the University of Naples in Italy monitored and evaluated the botnet's activity.
The scan took 12 days and was notable for its extremely cautious method, which usually wouldn't set off any alarms. The researchers registered the activity with the UCSD Network Telescope, also known as the "UCSD darknet". The University reserved an entire /8 IP block for the darknet that is, all IP addresses for a network in which only the first byte defines the network address, as is the case with the 10.0.0.0 network. In the case of the darknet, no network activity originates from these addresses, which means that any network traffic registered for this network must be from external sources. At the time, the UCSD Telescope registered the systematic scan of its entire address space; researchers then correlated it with publicly accessible data on global network traffic to conclude that not just their own network but, it seemed, the entire internet was being scanned by the malware.
The type of scan and the fact that it came from several million IP addresses suggested that it must originate from one of the very large botnets. The regional dispersion ruled out candidates such as Conficker. Finally, the researchers located the code responsible for the scan in a module that had been loaded onto the Sality botnet by the botnet operator.
VoIP is an interesting target to have been chosen by the hackers behind Sality. Alberto Dainotti, one of the researchers involved at UCSD, speculated to DarkReading that "they were probably trying to brute-force SIP servers to create accounts to be used for free calls, anonymous calls, VoIP fraud, etc." The researchers will present detailed results of their "Analysis of a /0 Stealth Scan from a BotnetPDF" at the Internet Measurement Conference 2012 in Boston next month.
The scan took 12 days and was notable for its extremely cautious method, which usually wouldn't set off any alarms. The researchers registered the activity with the UCSD Network Telescope, also known as the "UCSD darknet". The University reserved an entire /8 IP block for the darknet that is, all IP addresses for a network in which only the first byte defines the network address, as is the case with the 10.0.0.0 network. In the case of the darknet, no network activity originates from these addresses, which means that any network traffic registered for this network must be from external sources. At the time, the UCSD Telescope registered the systematic scan of its entire address space; researchers then correlated it with publicly accessible data on global network traffic to conclude that not just their own network but, it seemed, the entire internet was being scanned by the malware.
The type of scan and the fact that it came from several million IP addresses suggested that it must originate from one of the very large botnets. The regional dispersion ruled out candidates such as Conficker. Finally, the researchers located the code responsible for the scan in a module that had been loaded onto the Sality botnet by the botnet operator.
VoIP is an interesting target to have been chosen by the hackers behind Sality. Alberto Dainotti, one of the researchers involved at UCSD, speculated to DarkReading that "they were probably trying to brute-force SIP servers to create accounts to be used for free calls, anonymous calls, VoIP fraud, etc." The researchers will present detailed results of their "Analysis of a /0 Stealth Scan from a BotnetPDF" at the Internet Measurement Conference 2012 in Boston next month.
Comments
