How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
Understanding the network-level behavior of spammers
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
The Zombie roundup: understanding, detecting, and disrupting botnets
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Spamming botnets: signatures and characteristics
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Census and survey of the visible internet
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Automatic discovery of botnet communities on large-scale communication networks
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Botnet spam campaigns can be long lasting: evidence, implications, and analysis
Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
Geolocalization of proxied services and its application to fast-flux hidden servers
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Your botnet is my botnet: analysis of a botnet takeover
Proceedings of the 16th ACM conference on Computer and communications security
Spamcraft: an inside look at spam campaign orchestration
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Inference and analysis of formal models of botnet command and control protocols
Proceedings of the 17th ACM conference on Computer and communications security
Demystifying service discovery: implementing an internet-wide scanner
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Conficker and beyond: a large-scale empirical study
Proceedings of the 26th Annual Computer Security Applications Conference
Show me the money: characterizing spam-advertised revenue
SEC'11 Proceedings of the 20th USENIX conference on Security
Analysis of country-wide internet outages caused by censorship
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Towards Situational Awareness of Large-Scale Botnet Probing Events
IEEE Transactions on Information Forensics and Security
Analysis of internet-wide probing using darknets
Proceedings of the 2012 ACM Workshop on Building analysis datasets and gathering experience returns for security
Understanding IPv6 internet background radiation
Proceedings of the 2013 conference on Internet measurement conference
A systematic approach for detecting and clustering distributed cyber scanning
Computer Networks: The International Journal of Computer and Telecommunications Networking
Topology-Aware Correlated Network Anomaly Event Detection and Diagnosis
Journal of Network and Systems Management
Hi-index | 0.00 |
Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial of service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, including searching for vulnerable machines to infect and recruit into the botnet, probing networks for enumeration or penetration, etc. We present the measurement and analysis of a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February of last year. This 12-day scan originated from approximately 3 million distinct IP addresses, and used a heavily coordinated and unusually covert scanning strategy to try to discover and compromise VoIP-related (SIP server) infrastructure. We observed this event through the UCSD Network Telescope, a /8 darknet continuously receiving large amounts of unsolicited traffic, and we correlate this traffic data with other public sources of data to validate our inferences. Sality is one of the largest botnets ever identified by researchers, its behavior represents ominous advances in the evolution of modern malware: the use of more sophisticated stealth scanning strategies by millions of coordinated bots, targeting critical voice communications infrastructure. This work offers a detailed dissection of the botnet's scanning behavior, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.