Malware Hunter: Find C&C servers for botnets

Recorded Future and Shodan released Malware Hunter, a specialized crawler for security researchers that explores the Internet to find computers acting as remote access trojan (RAT) command and control centers.

What Malware Hunter does

Malware Hunter unearths computers hosting RAT controller software that remotely controls malware-infected computers and instructs them to execute malicious activities such as recording audio, video, and keystrokes on a victim’s machine. Using command and control servers, attackers can launch widescale attacks on thousands of computers at once and hide their tracks.

Malware Hunter levels the playing field by scanning the Internet for the computers being used as RAT controllers, providing valuable information to researchers about the malware and attackers so malicious campaigns can be shut down quickly.

Port scans for Internet-connected devices

Until now, the security community has relied on passive malware collection methods, such as honeypots, malware processing, and aggregation services like VirusTotal, to identify RAT families and campaigns.

Shodan and Recorded Future developed a technique which enables port scans for Internet-connected devices including servers, routers, webcams, and any port listening device so researchers can find the infected computers more quickly and stop campaigns before they can advance.

Information from Shodan feeds into Recorded Future’s API, which provides confirmation and data enrichment from open, closed, and technical sources for an analysis of the threats. This methodology has identified thousands of RAT controllers, including a global installation of GhostRAT controllers, since the hunting project was created with Shodan in 2015.

“This methodology is the first to use Shodan to locate RAT controllers before the malware samples are found,” said Levi Gundert, vice president of intelligence and strategy at Recorded Future. “By doing it this way — signature scans for RAT controller IP addresses, observing malware through our API, and cross-correlating it with a variety of sources — we are able to locate RAT controllers before the associated malware begins spreading or compromising targeted victims.”