Shodan search engine starts unmasking malware command-and-control servers

There’s now a new tool that could allow companies to quickly block communications between malware programs and their frequently changing command-and-control servers.

Threat intelligence company Recorded Future has partnered with Shodan, a search engine for internet-connected devices and services, to create a new online crawler called Malware Hunter.

The new service continuously scans the internet to find control panels for over ten different remote access Trojan (RAT) programs, including Gh0st RAT, DarkComet, njRAT, ZeroAccess and XtremeRAT. These are commercial malware tools sold on underground forums and are used by cybercriminals to take complete control of compromised computers.

To identify command-and-control (C&C) servers, the Malware Hunter crawler connects to public Internet Protocol addresses and sends traffic that replicates what these Trojan programs would send to their control panels. If the receiving computers send back specific responses they’re flagged as C&C servers.

Malware Hunter has identified over 5,700 RAT servers so far, with more than 4,000 of them located in the U.S. The largest number of control panels found was for Gh0st RAT, a malware program of Chinese origin that has been used in targeted cyberespionage attacks since 2009.

The C&C list generated by Malware Hunter is updated in real time, so security vendors, companies and even independent researchers can use it in firewalls and other security products to block malicious traffic.

Blocking traffic to these C&C servers at the network level could prevent attackers from abusing infected computers or stealing data. This could be quicker than waiting for security companies to discover new RAT samples, extract the command-and-control servers from their configuration and adding a blocking rule for them.

The traffic signatures used to identify RAT C&C servers is based on research by Recorded Future, which used the same technique to identify malicious servers in the past, but on a smaller scale.

The downside of crawlers masquerading as infected computers when scanning the entire internet is that it could trigger false positive alerts on people’s security systems that filter incoming traffic.

“Malware Hunter doesn’t perform any attacks and the requests it sends don’t contain any malicious content,” the service’s creators said on its website. “The reason your security product raised an alert is because it is using a signature that should only be used for traffic leaving the network (egress) but is incorrectly being applied to incoming traffic (ingress).”