So what is SHODAN?
Meet “Shodan” The Scariest Search Engine On The Internet
SHODAN’s new online malware scanner that hunts C&C servers all over the world.
But now finding malicious servers, hosted by attackers, that control botnet of infected machines gets a bit easier. Thanks to Shodan and Recorded Future.
Shodan and Recorded Future have teamed up and launched Malware Hunter – a crawler that scans the Internet regularly to identify botnet command and control (C&C) servers for various malware and botnets.
Malware Hunter results have been integrated into Shodan – a search engine designed to gather and list information about all types of Internet-connected devices and systems.
How Does Malware Hunter Identify a C&C Server?
You might be wondering how Malware Hunter will get to know which IP address is being used to host a malicious C&C server.
For this, Shodan has deployed specialized crawlers, to scan the whole Internet to look for computers and devices configured to function as a botnet C&C server by pretending to be infected computer that is reporting back to the command and control server.
“RATs return specific responses (strings) when a proper request is presented on the RAT controller’s listener port,” according to a 15-page report [PDF] published by Recorded Future.
“In some cases, even a basic TCP three-way handshake is sufficient to elicit a RAT controller response. The unique response is a fingerprint indicating that a RAT controller (control panel) is running on the computer in question.”
Malware Hunter Already Identified Over 5,700 Malicious C&C Servers
We gave it a try and found impressive results, briefly mentioned below:
- Malware Hunter has already identified over 5,700 command-and-control servers around the World.
- Top 3 Countries hosting command and control servers include United States (72%), Hong Kong (12%) and China (5.2%).
- Five popular Remote Access Trojan (RAT) that are widely being used include Gh0st RAT Trojan (93.5%), DarkComet trojan (3.7%), along with a few servers belong to njRAT Trojan, ZeroAccess Trojan, and XtremeRAT Trojan.
- Shodan is also able to identify C&C servers for Black Shades, Poison Ivy, and Net Bus.
To see results, all you have to do is search for “category:malware” without quotes on Shodan website.
Malware Hunter aims at making it easier for security researchers to identify newly hosted C&C servers, even before having access to respective malware samples.
This intelligence gathering would also help anti-virus vendors identify undetectable malware and prevent it from sending your stolen data back to attacker’s command-and-control servers.