Researchers at the University of California San Diego have monitored a botnet that they believe scanned the entire IPv4 address space, possibly in less than two weeks. Using a network block called the UCSD Network Telescope, also known as the UCSD darknet, researchers noticed the illicit activity in February 2011. The UCSD Darknet consists of an entire /8 IP block, that is, all IP addresses for a network in which only the first byte defines the network address (e.g. 10.0.0.0). The block is reserved for inbound network traffic monitoring only. Since no outbound traffic originates from this address, any network traffic detected on the network must come from an outside source.
In February 2011, researchers noticed a scan running through the UCSD Darknet. The scan took 12 days to complete and scanned the entire address space. It appeared as if the scan was searching for Voice-over-IP (VoIP) endpoints that could be exploited. Researchers then correlated it with publicly accessible data on global network traffic to conclude that not just their own network but, it seemed, the entire internet was being scanned by the malware.
The scan came from several million IP addresses indicating that it must have originated from one of the very large botnets (but they ruled out Conflicker). Finally, the researchers located the code responsible for the scan in a module that had been loaded onto the Sality botnet by the botnet operator. Sality was a malicious malware threat that was first discovered in 2003.
Researchers told DarkReading, that “they were probably trying to brute-force SIP servers to create accounts to be used for free calls, anonymous calls, VoIP fraud, etc.”
Sources: Dark Reading
