The results of the scan conducted with the Malware Hunter have been integrated into Shodan.
The researchers have designed specialized crawlers, to scan the Internet looking for computers and devices configured to function as a botnet C&C server by pretending to be infected computer that is reporting back to the command and control server.
The crawlers report to the maintainers of the project every IP address discovered during the scan that provides a response usually associated with a RAT.
“Port scanning tools are often used to identify and count specific services available to the public Internet, and using these same tools to identify and profile RATs is advantageous both for law enforcement and operational defenders.”
“RATs return specific responses (strings) when a proper request is presented on the RAT controller’s listener port,” state the report published by Recorded Future.
“In some cases, even a basic TCP three-way handshake is sufficient to elicit a RAT controller response. The unique response is a fingerprint indicating that a RAT controller (control panel) is running on the computer in question.”
According to the researchers, the Malware Hunter service has already found more than 5,700 Malicious C&C Servers, 18 of them located in my country, Italy.
To see Malware Hunter results, log in the Shodan service and search for ‘category:malware‘.
“Shodan’s signatures also include RATs, specifically Black Shades, Dark Comet, njRAT, XtremeRAT, Poison Ivy, and Net Bus. Thus Shodan is a valuable and useful originating intelligence source for identifying live RAT controllers. While the number of results varies, Shodan typically identifies between 400 and 600 individual RAT controllers on any given day. The results from September 18, 2015, can be downloaded from Recorded Future’s GitHub page” continues the report.
Enjoy the service.
(Security Affairs – Malware Hunter, Shodan)