Meet New Shodan Malware Scanner – Scans for C&C Servers

So what is SHODAN?

Meet “Shodan” The Scariest Search Engine On The Internet

Well, if we look around, we will find that we are entirely dependent on the internet of things. We use IoT devices in our regular life, and we frequently encounter things that are connected to the web. And those all could be found in two worlds- Real world and an internet world.
So, today we are going to introduce Shodan, the backdoor to the internet. Shodan can search everything else that Google cannot search. Shodan was launched in 2009 by John Matherly.
John Matherly named his project after the villainous computer in the video game System Shock. Today Shodan is designated as ‘World’s scariest search engine’ and it very often called hackers search engine.
Well, Shodan is designed with a plan to link every device connected to the internet. It collects and stacks HTTP address from devices that are attached to the internet worldwide and then it was arranged according to their countries, OS, and brand.
Shodan’s scanning power is so strong that it can detect nuclear power plants. It can even detect traffic lights, control systems, gas stations, power grids, security cameras.
Well, most of the time public services uses no or little measures for online safety, and if once exposed to hackers, the results could be destructive. Hackers can even breach into your system if your IoT hub is exposed on the internet using Shodan.
You can find some devices in Shodan that run on their default passwords or no passwords at all. It currently returns ten results to users who doesn’t have an account and 50 results to those who have an account.

SHODAN’s new online malware scanner that hunts C&C servers all over the world.

Rapidly growing, insecure internet-connected devices are becoming albatross around the necks of individuals and organizations with malware authors routinely hacking them to form botnets that can be further used as weapons in DDoS and other cyber attacks.

But now finding malicious servers, hosted by attackers, that control botnet of infected machines gets a bit easier. Thanks to Shodan and Recorded Future.

Shodan and Recorded Future have teamed up and launched Malware Hunter – a crawler that scans the Internet regularly to identify botnet command and control (C&C) servers for various malware and botnets.

Command-and-control servers (C&C servers) are centralized machines that control the bots (computers, smart appliances or smartphones), typically infected with Remote Access Trojans or data-stealing malware, by sending commands and receiving data.

Malware Hunter results have been integrated into Shodan – a search engine designed to gather and list information about all types of Internet-connected devices and systems.

How Does Malware Hunter Identify a C&C Server?

You might be wondering how Malware Hunter will get to know which IP address is being used to host a malicious C&C server.

For this, Shodan has deployed specialized crawlers, to scan the whole Internet to look for computers and devices configured to function as a botnet C&C server by pretending to be infected computer that is reporting back to the command and control server.

The crawler effectively reports back to every IP address on the Web as if the target IP is a C&C and if it gets a positive response, then it knows the IP is a malicious C&C server.

“RATs return specific responses (strings) when a proper request is presented on the RAT controller’s listener port,” according to a 15-page report [PDF] published by Recorded Future.

“In some cases, even a basic TCP three-way handshake is sufficient to elicit a RAT controller response. The unique response is a fingerprint indicating that a RAT controller (control panel) is running on the computer in question.”

Malware Hunter Already Identified Over 5,700 Malicious C&C Servers

We gave it a try and found impressive results, briefly mentioned below:

  1. Malware Hunter has already identified over 5,700 command-and-control servers around the World.
  2. Top 3 Countries hosting command and control servers include United States (72%), Hong Kong (12%) and China (5.2%).
  3. Five popular Remote Access Trojan (RAT) that are widely being used include Gh0st RAT Trojan (93.5%), DarkComet trojan (3.7%), along with a few servers belong to njRAT Trojan, ZeroAccess Trojan, and XtremeRAT Trojan.
  4. Shodan is also able to identify C&C servers for Black Shades, Poison Ivy, and Net Bus.

To see results, all you have to do is search for “category:malware” without quotes on Shodan website.

Malware Hunter aims at making it easier for security researchers to identify newly hosted C&C servers, even before having access to respective malware samples.

This intelligence gathering would also help anti-virus vendors identify undetectable malware and prevent it from sending your stolen data back to attacker’s command-and-control servers.



Leave a Reply