Shodan search engine launches botnet hunting service

Internet of Things search engine Shodan has launched a new crawler that scours the the Internet for servers that manage botnets.

Shodan has been used by security researchers to uncover, for example, recent ransacking unsecured databases and a multitude of other connected things that shouldn't be exposed to the internet.

A new search service, dubbed Malware Hunter, targets infrastructure known as command and control (C2) servers that cybercriminals and sometimes government sponsored hackers use to control infected computers. Specifically, it’s looking for C2s that host remote access trojan (RAT) software, which are used to control an infected computer’s webcam to record video footage or audio of victims, or log keystrokes.

The service is jointly operated with Recorded Future, a threat intelligence firm, which provides an application protocol interface (API) that offers access to data from multiple sources, such as Indicators of Compromise (IOCs) from it’s own research and others, including Team Cymru. Shodan uses this data to scan the internet in search of IP addresses that match known RAT signatures already collected by Recorded Future.

Malware Hunter searches for malware servers by having its web crawler pose as an infected client that is reporting home. Since it doesn’t known which IP address is malicious, the crawler reports to every IP address on the internet as if the target is a malicious C2 and a positive response confirms that the IP address is one. Shodan will then display the IP addresses in its results.

Recorded Future notes the signatures are based on full packet capture data collected by numerous researchers from different RAT families. The packet captures contain RAT controller responses to requests made to the RAT controller’s listener port.

“Analysis of RAT controller responses within these packet captures leads to digital fingerprints that can be subsequently used in tandem with an Internet scanner to identify live instances of RAT controllers, and in some cases the RAT operator’s home IP address and approximate geographic location,” explains Recorded Future’s VP of threat intelligence Levi Gundert in a technical report.

Shodan has signatures for a number of well known RAT families, including Black Shades, Dark Comet, njRAT, XtremeRAT, Posion Ivy, Net Bus, and Gh0st RAT. The search engine identifies between 400 and 600 RAT controllers on any day.

Malware Hunter is meant to be more aggressive than existing methods, such as using honey pots, or using the Google owned malware aggregation service VirusTotal. The search engine is equipped to run port scans for servers, routers, webcams, and other port listening devices with the aim of helping researchers identify infected computers before a RAT variant grows too powerful.

Recorded Future claims that using the Malware Hunter methodology, a Shodan scan from early 2015 returned 633 RAT controller IP address. It crossed checked that with VirusTotal, which had matching malware results for 153 of the IP addresses, demonstrating that the service can find instances even before they’re submitted to VirusTotal.

"The capabilities that Malware Hunter brings to security researchers and threat analysts will greatly help the community's ability to track RAT family proliferation and other attacks and prevent them from taking the internet hostage," said John Matherly, founder of Shodan.

Anyone can start using the Malware Hunter search service today so long as they have already setup a free tier Shodan account.

Tags malwaretrojanratShodan

Show Comments