Malware Hunter — Shodan's Novel Tool To Notice Malware C&C Servers

Rapidly growing, insecure internet-connected devices are becoming albatross to a greater extent than or less the necks of individuals too organizations amongst malware authors routinely hacking them to cast botnets that tin hold upwardly farther used every bit weapons inwards DDoS too other cyber attacks.

But straight off finding malicious servers, hosted yesteryear attackers, that command botnet of infected machines gets a chip easier. Thanks to Shodan too Recorded Future.

Shodan too Recorded Future bring teamed upwardly too launched Malware Hunter – a crawler that scans the Internet regularly to position botnet command too command (C&C) servers for diverse malware too botnets.

Command-and-control servers (C&C servers) are centralized machines that command the bots (computers, smart appliances or smartphones), typically infected amongst Remote Access Trojans or data-stealing malware, yesteryear sending commands too receiving data.

Malware Hunter results bring been integrated into Shodan – a search engine designed to get together too listing information close all types of Internet-connected devices too systems.

How Does Malware Hunter Identify a C&C Server?

You powerfulness hold upwardly wondering how Malware Hunter volition larn to know which IP address is beingness used to host a malicious C&C server.

For this, Shodan has deployed specialized crawlers, to scan the whole Internet to hold off for computers too devices configured to business office every bit a botnet C&C server yesteryear pretending to hold upwardly infected estimator that is reporting dorsum to the command too command server.

The crawler effectively reports dorsum to every IP address on the Web every bit if the target IP is a C&C too if it gets a positive response, hence it knows the IP is a malicious C&C server.

"RATs furnish specific responses (strings) when a proper asking is presented on the RAT controller's listener port," according to a 15-page study [PDF] published yesteryear Recorded Future.

"In some cases, fifty-fifty a basic TCP three-way handshake is sufficient to elicit a RAT controller response. The unique reply is a fingerprint indicating that a RAT controller (control panel) is running on the estimator inwards question."

Malware Hunter Already Identified Over 5,700 Malicious C&C Servers

We gave it a endeavour too flora impressive results, briefly mentioned below:

1. Malware Hunter has already identified over 5,700 command-and-control servers to a greater extent than or less the World.
2. Top 3 Countries hosting command too command servers include U.S.A. of America (72%), Hong Kong (12%) too Communist People's Republic of China (5.2%).
3. Five pop Remote Access Trojan (RAT) that are widely beingness used include Gh0st RAT Trojan (93.5%), DarkComet trojan (3.7%), along amongst a few servers belong to njRAT Trojan, ZeroAccess Trojan, too XtremeRAT Trojan.
4. Shodan is also able to position C&C servers for Black Shades, Poison Ivy, too Net Bus.

To run across results, all you lot bring to produce is search for "category:malware" without quotes on Shodan website.

Malware Hunter aims at making it easier for safety researchers to position newly hosted C&C servers, fifty-fifty earlier having access to respective malware samples.

This tidings gathering would also tending anti-virus vendors position undetectable malware too preclude it from sending your stolen information dorsum to attacker's command-and-control servers.