Analysis of a “/0” stealth scan from a botnet
(Publication) Google search: [1]
Analysis of a “/0” stealth scan from a botnet | |
---|---|
Botnet | Sality |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / November 2012 |
Editor/Conference | |
Link | http://www.caida.org/publications/papers/2012/analysis slash zero/analysis slash zero.pdf (Archive copy) |
Author | Alberto Dainotti, Alistair King, Kimberly Claffy, Ferdinando Papale, Antonio Pescapé |
Type |
Abstract
“ Botnets are the most common vehicle of cyber-criminal activity.
They are used for spamming, phishing, denial of service attacks,brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, including searching for vulnerable machines to infect and recruit into the botnet, probing networks for enumeration or penetration, etc. We present the measurement and analysis of a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February of last year. This 12-day scan originated from approximately 3 million distinct IP addresses, and used a heavily coordinated and unusually covert scanning strategy to try to discover and compromise VoIP-related (SIP server) infrastructure. We observed this event through the UCSD Network Telescope, a /8 darknet continuously receiving large amounts of unsolicited traffic, and we correlate this traffic data with other public sources of data to validate our inferences. Sality is one of the largest botnets ever identified by researchers, its behavior represents ominous advances in the evolution of modern malware: the use of more sophisticated stealth scanning strategies by millions of coordinated bots, targeting critical voice communications infrastructure. This work offers a detailed dissection of the botnet’s scanning behavior, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1176, editor = {}, author = {Alberto Dainotti, Alistair King, Kimberly Claffy, Ferdinando Papale, Antonio Pescapé}, title = {Analysis of a “/0” stealth scan from a botnet}, date = {01}, month = Nov, year = {2012}, howpublished = {\url{http://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf}}, }