Although the Sality botnet isn’t as famous as other similar threats, it’s certainly not something that should be overlooked. Experts have discovered that Sality may have actually mapped all the IPv4 addresses in search for vulnerable voice-over-IP (VoIP) servers.
In a paper called “Analysis of a “/0” Stealth Scan from a Botnet,” researchers from the University of California and the University of Napoli in Italy presented the results of a study performed with the aid of the UCSD darknet, designed to study malicious Internet activity.
Sality is a piece of malware whose main goal so far has been to infect web servers, spread spam and steal data. However, the new research unveiled another purpose: to identify vulnerable VoIP targets that could be utilized in vishing or toll fraud attacks.
By leveraging a technique called “reverse-byte order scanning,” Sality has managed to scan possibly the entire IPv4 space without being identified. That’s because the technique utilizes a low number of packets that come from different sources, Dark Reading informs.
“The choice of the target IP addresses progresses in reverse-byte-order increments. Moreover, there is a large turnover of bots participating in the scan. The result is that a single network would receive scanning packets 'diluted' over a large period of time - 12 days in this case - coming from different sources,” UCSD researchers Alistair King, one of the authors of the study, explained.
Around 3 million botnets have been put in charge of scanning the complete IPv4 address space by relying on a special scanning pattern that’s not only efficient, but also stealthy.
Experts claim that although this hiding mechanism might not be new, it has never been documented in such a way before.
The paper will be presented by the researchers at the Internet Measurement Conference 2012 in Boston, scheduled to take place between November 14 and November 16.
Here is a graphical visualization of the scan performed with the UCSD Network Telescope known as UCSD darknet: