There are various ranges of botnet levels and Sality does not rank up at the top, but that also allows it to fly under the radar a bit.
Sality may have actually mapped all the IPv4 addresses in search for vulnerable voice-over-IP (VoIP) servers, said security researchers.
Skype Targeted by Spammers
In a paper entitled “Analysis of a “/0” Stealth Scan from a Botnet,” researchers from the University of California and the University of Napoli in Italy presented the results of a study performed with the aid of the UCSD darknet, designed to study malicious Internet activity.
Sality is malware whose main goal so far has been to infect web servers, spread spam and steal data. However, the new research unveiled another purpose: To identify vulnerable VoIP targets that could fall victim to attacks.
By leveraging a technique called “reverse-byte order scanning,” Sality can scan possibly the entire IPv4 space in stealth mode. That’s because the technique utilizes a low number of packets that come from different sources.
“The choice of the target IP addresses progresses in reverse-byte-order increments. Moreover, there is a large turnover of bots participating in the scan. The result is a single network would receive scanning packets diluted over a large period of time — 12 days in this case — coming from different sources,” said UCSD Researcher Alistair King, one of the authors of the study.