Now Shodan can find Malware Command and Control Servers

A threat Intelligence Company, Recorded Future, and Internet search engine Shodan announced today that a specialized crawler for security researchers exploring the internet to find computers acting as RAT (Remote Access Trojan) command and control centers. The crawler dubbed as Malware Hunter, provides valuable information which researchers can use to proactively detect and defend against these threats.

The new Malware Hunter crawler revealed today, is the result of a project which started in 2015 by Recorded Future and Shodan which roots out RAT operations by detecting computers on the Internet which are serving as RAT C2s (command-and-controllers) in botnets. Darkreading.com posted on May 2nd, 2017, stating that it is a substitute to the traditional, more passive collection approach of honeypots, VirusTotal and some malware analysis, to finish cybercrime and cyber espionage malware attacks.

Malware Hunter is driven by technologies from Recorded Future and Shodan. For its part, Shodan is providing the skill to quickly and efficiently investigate every IP address on the Internet whereas Recorded Future is contributing the technical information required to imitate infected computers (malware bots).

Shodan itself mainly crawls the Internet for publicly accessible computers and devices and is a popular tool among security researchers. John Matherly who is the founder of Shodan, started the search engine in 2009 as an open-source project for searching devices on the internet.

With help from Recorded Future, the security firm, crawler digs nearby and around internet for C2 (command and control) servers of RATs.

The computers are infected with malware by these Trojans, which enables recording from microphone, webcam, as well as record keystrokes of the device by malware controller.

Matherly explains that Malware Hunter poses as a newly infected client machine at the time of searching the Internet for command-and-control servers and makes rooting out C2s much quicker than passive methods.

As per Shodan, crawler poses as an infected client which reports back to C2 (command and control) server. All the IP address is ping on internet by the crawler for asking, as it does not know the server that is working malware controller. When it will get working response, at that time it understands that this IP address is C2 server.

» SPAMfighter News - 5/5/2017