|
|
|
Somewhat similar
to downgraded scanners
|
|
So far, unlike
scanners, worms attempt only few dozen HTTP attacks.
|
|
Does not perform
HTTP authentication
|
|
Every batch is
from a single IP, yet expect several “sessions” from different IPs (lots of
machines are infected).
|
|
Attack may be
correlated to non-HTTP protocols
|
|
|
