Menu
Shodan search engine starts unmasking malware command-and-control servers

Shodan search engine starts unmasking malware command-and-control servers

The new Malware Hunter service could help companies and security vendors quickly block traffic to malware servers.

IDG

IDG

There's now a new tool that could allow companies to quickly block communications between malware programs and their frequently changing command-and-control servers.

Threat intelligence company Recorded Future has partnered with Shodan, a search engine for internet-connected devices and services, to create a new online crawler called Malware Hunter.

The new service continuously scans the internet to find control panels for over ten different remote access Trojan (RAT) programs, including Gh0st RAT, DarkComet, njRAT, ZeroAccess and XtremeRAT. These are commercial malware tools sold on underground forums and are used by cybercriminals to take complete control of compromised computers.

To identify command-and-control (C&C) servers, the Malware Hunter crawler connects to public Internet Protocol addresses and sends traffic that replicates what these Trojan programs would send to their control panels. If the receiving computers send back specific responses they're flagged as C&C servers.

Malware Hunter has identified over 5,700 RAT servers so far, with more than 4,000 of them located in the U.S. The largest number of control panels found was for Gh0st RAT, a malware program of Chinese origin that has been used in targeted cyberespionage attacks since 2009.

The C&C list generated by Malware Hunter is updated in real time, so security vendors, companies and even independent researchers can use it in firewalls and other security products to block malicious traffic.

Blocking traffic to these C&C servers at the network level could prevent attackers from abusing infected computers or stealing data. This could be quicker than waiting for security companies to discover new RAT samples, extract the command-and-control servers from their configuration and adding a blocking rule for them.

The traffic signatures used to identify RAT C&C servers is based on research by Recorded Future, which used the same technique to identify malicious servers in the past, but on a smaller scale.

The downside of crawlers masquerading as infected computers when scanning the entire internet is that it could trigger false positive alerts on people's security systems that filter incoming traffic.

"Malware Hunter doesn't perform any attacks and the requests it sends don't contain any malicious content," the service's creators said on its website. "The reason your security product raised an alert is because it is using a signature that should only be used for traffic leaving the network (egress) but is incorrectly being applied to incoming traffic (ingress)."


Follow Us

Join the newsletter!

Error: Please check your email address.

Featured

Slideshows

Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
Show Comments