“Shodan”, the search engine for internet-connected devices, and cybersecurity research firm “Recorded Future” collaboratively launched a new online tool named Malware Hunter.

Malware Hunter is a specialized crawler that scans across the Internet to find command & control (C&C) servers for botnets.   

Command-and-control (C&C) servers are centralized machines that control malware (Remote Access Trojan) infected computers or devices (Bot) and remotely instruct them to initiate malicious activities. Using C&C servers, attackers can launch wide scale attacks on thousands of infected computers (Bots) at once and hide their tracks.

Malware Hunter employs RAT controller probes to scan across the internet and flag IP addresses that match known RAT signatures. So far they’ve identified a number of RAT controller families including Dark Comet, njRAT, Poison Ivy, and most recently Gh0st RAT controllers.

How Malware Hunter Works?

To identify Command and Control (C&C) servers, Malware Hunter acts as an infected client that’s reporting back to a C&C server. The crawler effectively reports back to each and every IP on the Internet as if the target IP is a C&C server. If the crawler gets a positive response from an IP then it flag that specific IP as C&C server.

Port scanning tools are often used to identify the open ports and discover services available on a host connected to the Internet; Malware hunter enables port scans for internet-connected devices including servers, routers, webcams, and any port listening device to identify and profile RATs C&C server. While port scanning, the scanner tools return daemon banner information which is highly useful for identifying RAT controllers.

‘RATs return specific responses (strings) when a proper request is presented on the RAT controller’s listener port. The unique response is a fingerprint indicating that a RAT controller (control panel) is running on the computer.’ (L. Gundert, 2017, Proactive Threat Identification Neutralizes Remote Access Trojan Efficacy)

According to Recorded Future, to profile a RAT family, Malware Hunter analyses RAT controller responses within Malware (RAT) generated network packet captures (PCAP) and gets digital fingerprint of RAT which is then used with an internet scanner to identify live instances of RAT controllers.

For example, one version of a ubiquitous RAT returns a “0” subsequent to an HTTP GET method.

malware hunter PCAP

RAT returns a “0” subsequent to an HTTP GET method

 

Enumeration of a /20 subnet in Palestine with MASSCAN reveals a signature match with a specific host on port 1177.

Malware Hunter port scan

A signature match with a specific host on port 1177.

 

Traditionally, security researchers have relied on passive malware collection methodologies, such as honeypots, malware processing, and aggregation services like VirusTotal to identify various RAT families and campaigns. Though these techniques are quite effective, but it is difficult to quickly and proactively identify all live instances of a specific RAT campaign. Now the “Malware Hunter” can help security researchers to find the infected computers more quickly and enable proactive defences to stop RAT campaigns even before they can advance.