Researchers over at University of California and the University of Napoli in Italy have revealed through their research paper [PDF] that the Sality botnet, which was known to infect web servers; spread spam and steal data, has quite a few things under its hood. According to the research, the botnet also scans for vulnerable VoIP targets and that too using a technique called “reverse-byte order scanning.”
In Sality’s method of scanning the choice of IP addresses progresses in reverse-byte order increments. This particular method of scanning not only results in a low number of packets per day, out of all the IP addresses which the researchers monitored a million IPs actually dropped out of the scanning activity after transmitting only one probe.
The researchers monitored the activity of the botnet through the UCSD Network Telescope following which they claim that the botnet, over a period of 12 days, used some 3 million unique source IP addresses to carry out the scan. The team wrote in their paper that they "captured traffic reflecting a previously undocumented largescale stealth scanning behavior (across the entire IPv4 space, we believe)".