Analysis of a “/0” stealth scan from a botnet

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Analysis of a “/0” stealth scan from a botnet
Botnet Sality
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / November 2012
Editor/Conference
Link http://www.caida.org/publications/papers/2012/analysis slash zero/analysis slash zero.pdf (Archive copy)
Author Alberto Dainotti, Alistair King, Kimberly Claffy, Ferdinando Papale, Antonio Pescapé
Type

Abstract

Botnets are the most common vehicle of cyber-criminal activity.

They are used for spamming, phishing, denial of service attacks,brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, including searching for vulnerable machines to infect and recruit into the botnet, probing networks for enumeration or penetration, etc. We present the measurement and analysis of a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February of last year. This 12-day scan originated from approximately 3 million distinct IP addresses, and used a heavily coordinated and unusually covert scanning strategy to try to discover and compromise VoIP-related (SIP server) infrastructure. We observed this event through the UCSD Network Telescope, a /8 darknet continuously receiving large amounts of unsolicited traffic, and we correlate this traffic data with other public sources of data to validate our inferences. Sality is one of the largest botnets ever identified by researchers, its behavior represents ominous advances in the evolution of modern malware: the use of more sophisticated stealth scanning strategies by millions of coordinated bots, targeting critical voice communications infrastructure. This work offers a detailed dissection of the botnet’s scanning behavior, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.

Bibtex

 @misc{Dainotti2012BFR1176,
   editor = {},
   author = {Alberto Dainotti, Alistair King, Kimberly Claffy, Ferdinando Papale, Antonio Pescapé},
   title = {Analysis of a “/0” stealth scan from a botnet},
   date = {01},
   month = Nov,
   year = {2012},
   howpublished = {\url{http://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf}},
 }