Analysis of a “/0” Stealth Scan From a Botnet

Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial-of-service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, including searching for vulnerable machines to infect and recruit into the botnet, probing networks for enumeration or penetration, etc. We present the measurement and analysis of a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February 2011. This 12-day scan originated from approximately 3 million distinct IP addresses and used a heavily coordinated and unusually covert scanning strategy to try to discover and compromise VoIP-related (SIP server) infrastructure. We observed this event through the UCSD Network Telescope, a /8 darknet continuously receiving large amounts of unsolicited traffic, and we correlate this traffic data with other public sources of data to validate our inferences. Sality is one of the largest botnets ever identified by researchers. Its behavior represents ominous advances in the evolution of modern malware: the use of more sophisticated stealth scanning strategies by millions of coordinated bots, targeting critical voice communications infrastructure. This paper offers a detailed dissection of the botnet's scanning behavior, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.

[1]  Dmitri Loguinov,et al.  Stochastic analysis of horizontal IP scanning , 2012, 2012 Proceedings IEEE INFOCOM.

[2]  Guofei Gu,et al.  A Large-Scale Empirical Study of Conficker , 2012, IEEE Transactions on Information Forensics and Security.

[3]  Vern Paxson,et al.  Towards Situational Awareness of Large-Scale Botnet Probing Events , 2011, IEEE Transactions on Information Forensics and Security.

[4]  Feng Qian,et al.  Botnet spam campaigns can be long lasting: evidence, implications, and analysis , 2009, SIGMETRICS '09.

[5]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[6]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[7]  Ali A. Ghorbani,et al.  Automatic discovery of botnet communities on large-scale communication networks , 2009, ASIACCS '09.

[8]  Chris Kanich,et al.  Show Me the Money: Characterizing Spam-advertised Revenue , 2011, USENIX Security Symposium.

[9]  Guofei Gu,et al.  EFFORT: Efficient and effective bot malware detection , 2012, 2012 Proceedings IEEE INFOCOM.

[10]  Alberto Dainotti,et al.  Analysis of internet-wide probing using darknets , 2012, BADGERS '12.

[11]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[12]  Sandeep Sarat Andreas Terzis,et al.  Measuring the Storm Worm , 2007 .

[13]  Geoff Hulten,et al.  Spamming botnets: signatures and characteristics , 2008, SIGCOMM '08.

[14]  Alberto Dainotti,et al.  A coordinated view of the temporal evolution of large-scale Internet events , 2013, Computing.

[15]  Thomas Grechenig,et al.  Security Status of VoIP Based on the Observation of Real-World Attacks on a Honeynet , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[16]  Marco Chiesa,et al.  Analysis of country-wide internet outages caused by censorship , 2011, IMC '11.

[17]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[18]  Yan Chen,et al.  Honeynet-based Botnet Scan Traffic Analysis , 2008, Botnet Detection.

[19]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[20]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[21]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[22]  Chris Kanich,et al.  Spamcraft: An Inside Look At Spam Campaign Orchestration , 2009, LEET.

[23]  Claude Castelluccia,et al.  Geolocalization of proxied services and its application to fast-flux hidden servers , 2009, IMC '09.

[24]  Vinod Yegneswaran,et al.  Using Honeynets for Internet Situational Awareness , 2005 .

[25]  Dawn Xiaodong Song,et al.  Inference and analysis of formal models of botnet command and control protocols , 2010, CCS '10.

[26]  Ramesh Govindan,et al.  Census and survey of the visible internet , 2008, IMC '08.

[27]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[28]  Antonio Pescapè,et al.  Analysis of a "/0" stealth scan from a botnet , 2015, TNET.

[29]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[30]  H. Sagan Space-filling curves , 1994 .

[31]  W. Penuel,et al.  Expanding Implementation Research 1 Expanding the Scope of Implementation Research in Education to Inform Design , 2009 .

[32]  Dmitri Loguinov,et al.  Demystifying service discovery: implementing an internet-wide scanner , 2010, IMC '10.

[33]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[34]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[35]  Guofei Gu,et al.  Conficker and beyond: a large-scale empirical study , 2010, ACSAC '10.