Shodan search tool tracks down botnet command-and-control servers
Wed 3 May 2017
Search engine Shodan has announced a tool to help businesses hunt out and block traffic from malware command-and-control servers.
The new Malware Hunter service, which has been designed in a collaborative project with threat intelligence company Recorded Future, continuously scans the internet to locate control panels for different remote access trojans (RAT), including Gh0st RAT, Dark Comet, njRAT, XtremeRAT, Net Bus and Poison Ivy.
The internet crawler identifies botnet C2 servers by connecting to public IP addresses and sending traffic which mimics that of an infected device. If the receiver computer sends back a response, that server is flagged.
So far, the Malware Hunter has traced over 5,700 RAT servers, with more than 4,000 of these based in the U.S. According to Shodan, the largest proportion of identified control panels were for Gh0st RAT – a Chinese malware which has been employed in cyberespionage campaigns since 2009.
Malware Hunter’s list of C2 servers is updated in real-time, meaning that security companies, businesses and cyber researchers can use the resource to support firewall products and other antimalware solutions.
Shodan believes that blocking malicious C2 traffic at the network level could help to prevent cybercriminals from abusing infected devices or stealing data.
‘This methodology is the first to use Shodan to locate RAT controllers before the malware samples are found,’ said Levi Gundert, vice president of intelligence and strategy at Recorded Future.
‘By doing it this way — signature scans for RAT controller IP addresses, observing malware through our API, and cross-correlating it with a variety of sources — we are able to locate RAT controllers before the associated malware begins spreading or compromising targeted victims,’ he continued.
While some argue that a masquerade tool could result in false positive alerts, Shodan explained on its new website that ‘Malware Hunter doesn’t perform any attacks and the requests it sends don’t contain any malicious content.’
It added: ‘The reason your security product raised an alert is because it is using a signature that should only be used for traffic leaving the network (egress) but is incorrectly being applied to incoming traffic (ingress).’