A new crawler released today by Shodan designed to find command and control servers has already unearthed 5,800 controllers for more than 10 remote access Trojan (RAT) families.
The crawler, called Malware Hunter, poses as an infected computer beaconing out to an attacker’s server waiting for additional commands or malware downloads. Unlike passive honeypots and sinkholes, Malware Hunter is actively seeking responses from C2 servers by pretending to be a newly infected machine sending out a callback with system information.
Shodan has already integrated the free crawler’s results into its searches, and partner Recorded Future has the data fed to its API and provides its customers with additional context around the threats.
Shodan’s search engine is a favorite among security researchers; it scans the internet looking for open ports belonging to connected devices, including servers, routers and IoT devices. Malware Crawler, Shodan said, beacons out to every IP address as if they were command and control servers and anything that responds is considered a C2 controller.
“What Shodan collects is a positive response,” said Shodan creator John Matherly. “All we’re saying is that based on our technology, we determined this looks like a C2. We don’t probe. We don’t want to send unnecessary amounts of traffic to the C2; we don’t want to tip them off. We just want to flag it and forward it to other organizations that are better doing forensic and investigative work.”
Recorded Future and Shodan have been working for two years on this project and to date, it’s found thousands of controllers for more than 10 RAT families, including Gh0st RAT, njRAT and Dark Comet, notorious cybercrime and espionage tools.
Gh0st RAT, in particular caught the researchers’ attention given that it’s primarily been a nation-state attack tool in APT attacks against government agencies, activists and other political targets.
“We’ve found more than we expected,” said Daniel Hatheway, senior technical analyst at Recorded Future. “Especially on Gh0st RAT, which was shocking to us. We didn’t think it was as prevalent any more. We didn’t expect the number to be quite as high as it was.”
The project decided to focus on detecting RAT command and control servers first, but it has also dredged up other types of malware, including instances of the ZeroAccess Trojan. The ZeroAccess botnet has in the past been responsible for spreading information-stealing and click-fraud malware.
“It was easy to develop a proof of concept for RATs; it’s a straightforward interaction,” Matherly said. “You get a lot of bang for your buck in terms of how much effort it takes to find RATs.”
The 10-plus signatures in use already ferret out behaviors that snare new versions of RATs.
“We may not know it’s a new version right away,” Matherly said, “but it elicits a response from a C2.”
Users with a free Shodan account will have access to an overview results generated by Malware Hunter. Recorded Future has integrated the results into its products along with other analysis providing additional contexts around a detection.
The results, meanwhile, would have value to researchers and network admins alike.
“A network admin could actually dump that list (of results) and be pretty confident they could block everything out of the gate,” Hatheway said, adding that something like this would proactively block phishing sites before campaigns are even launched.
“In terms of raw numbers, we feel like it’s been way more than we ever expected to find,” Matherly said. “It’s one of those things where we said ‘Why haven’t we done this sooner?'”