Shodan and Recorded Future have launched today a search engine for discovering malware command-and-control (C&C) servers. Named Malware Hunter, this new tool is integrated into Shodan, a search engine for discovering Internet-connected devices.
Malware Hunter works via search bots that crawl the Internet looking for computers configured to function as a botnet C&C server.
In order to trick a C&C server to reveal its location, the search bot uses various predefined requests to pretend to be infected computer that’s reporting back to the C&C server. If the scanned computer responds, Malware Hunter logs the IP and makes it available via the Shodan interface.
Malware Hunter is powered by technologies from Shodan and Recorded Future. For its part, Shodan is providing the ability to quickly and efficiently probe every IP address on the Internet, while Recorded Future is contributing the technical information needed to mimic infected computers (malware bots).
“This methodology is the first to use Shodan to locate RAT controllers before the malware samples are found,” said Levi Gundert, vice president of intelligence and strategy at Recorded Future. “By doing it this way – signature scans for RAT controller IP addresses, observing malware through our API, and cross-correlating it with a variety of sources – we are able to locate RAT controllers before the associated malware begins spreading or compromising targeted victims.”
More details about the technical details behind the process of searching and identifying C&C servers is available in this 15-page report released by Recorded Future.
Currently, Malware Hunter can identify a wide range of RAT C&Cs
Currently, the Malware Hunter engine comes with support for identifying a wide range of C&C servers for RATs (Remote Access Trojans), such as Dark Comet, njRAT, Poison Ivy, Ghost RAT, and more.
In the future, hopes are that the Malware Hunter search engine will be able to uncover other types of malware botnets, such as those for backdoor trojans, cyber-espionage malware, cryptominers, or DDoS malware.
You can directly access Malware Hunter results by searching for “category:malware” on Shodan. An initial set of results — at the time of writing — lists over 5,700 C&C servers.