Distributed MSADC/root.exe scans

["Chris Adams" <chris () improbable org>]

I've noticed quite a few hosts scanning for a couple of the
vulnerabilities used in the old IIS worms. For example, this afternoon
I've seen scans from just over 500 highly diverse source IPs across 6
class Cs here.
These don't match the normal worm scanning behaviour:
- each IP scans only a small number of hosts - the largest number of
requests I've seen from a single IP is 8 and most scan just one host with
a couple requests- the hosts scanned do not overlap
- the scans are staggered, so we'll get a small batch every 3-10 minutes
- the cycle of scans has repeated for the last few days at what appears to
be long (>1 day) intervals- the IPs aren't scanned contiguously

I have trouble believing someone would go to the trouble of collecting
compromised hosts and then waste them stealthily scanning for
vulnerabilities which even inattentive admins are likely to have patched
and will trigger any halfway decent IDS but a quick google didn't turn up
anything much.
Does anyone know what might be causing this?

Chris



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com