In association with heise online

09 October 2012, 09:50

Botnet maps the entire internet

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom The graph shows that botnet activity dropped for three days in the middle of the scan
Source: Dainotti, King, Claffy , Papale, Pescapé
In February 2011, the Sality botnet apparently went through the entire IPv4 address space in search of Voice-over-IP (VoIP) endpoints that could be corrupted. Researchers at the University of California, San Diego (UCSD) and the University of Naples in Italy monitored and evaluated the botnet's activity.

The scan took 12 days and was notable for its extremely cautious method, which usually wouldn't set off any alarms. The researchers registered the activity with the UCSD Network Telescope, also known as the "UCSD darknet". The University reserved an entire /8 IP block for the darknet – that is, all IP addresses for a network in which only the first byte defines the network address, as is the case with the network. In the case of the darknet, no network activity originates from these addresses, which means that any network traffic registered for this network must be from external sources. At the time, the UCSD Telescope registered the systematic scan of its entire address space; researchers then correlated it with publicly accessible data on global network traffic to conclude that not just their own network but, it seemed, the entire internet was being scanned by the malware.

The researchers visualised the sources of the scan in a video

The type of scan and the fact that it came from several million IP addresses suggested that it must originate from one of the very large botnets. The regional dispersion ruled out candidates such as Conficker. Finally, the researchers located the code responsible for the scan in a module that had been loaded onto the Sality botnet by the botnet operator.

VoIP is an interesting target to have been chosen by the hackers behind Sality. Alberto Dainotti, one of the researchers involved at UCSD, speculated to DarkReading that "they were probably trying to brute-force SIP servers to create accounts to be used for free calls, anonymous calls, VoIP fraud, etc." The researchers will present detailed results of their "Analysis of a “/0” Stealth Scan from a BotnetPDF" at the Internet Measurement Conference 2012 in Boston next month.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit