Botnet May Have Mapped the Entire (IPv4) Internet (and more basic defense)

Some researchers have found a little-known botnet that appears to have scanned almost the entire Internet*… and pulled it off so quietly that nobody noticed at the time. The botnet used 3 million different IPs —
making it one of the largest botnets ever — and scanned so gingerly that some IPs only probed a single address.

* the entire IPv4 address space, actually. There is also IPv6, but not many people use it.

More basic defense: Take responsibility for your own health and medical care, too — it’s incredibly important. You’re taking a risk anytime you break the skin on purpose, As much as pre-sterilized everything helps prevent infection, anyone who’s had prolonged contact with the medical profession will have terrifying stories of incompetence and worse. You don’t have to run out and get EMT training, but — now that I think about it — it does seem surprisingly common among security types.

http://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
http://paritynews.com/security/item/412-sality-botnet-may-have-mapped-entire-ipv4-address-space-without-raising-alarms

“A little known botnet – Sality, in a search for vulnerable VoIP (Voice over IP) servers has probably managed to map the entire IPv4 address space without raising alarms it has been claimed.

Researchers over at University of California and the University of Napoli in Italy have revealed through their research paper [PDF] that the Sality botnet, which was known to infect web servers; spread spam and steal data, has quite a few things under its hood. According to the research, the botnet also scans for vulnerable VoIP targets and that too using a technique called “reverse-byte order scanning.”

In Sality’s method of scanning the choice of IP addresses progresses in reverse-byte order increments. This particular method of scanning not only results in a low number of packets per day, out of all the IP addresses which the researchers monitored a million IPs actually dropped out of the scanning activity after transmitting only one probe.

The researchers monitored the activity of the botnet through the UCSD Network Telescope following which they claim that the botnet, over a period of 12 days, used some 3 million unique source IP addresses to carry out the scan. The team wrote in their paper that they “captured traffic reflecting a previously undocumented largescale stealth scanning behavior (across the entire IPv4 space, we believe)”.”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: