Shodan and Recorded Future announced the launch of Malware Hunter on Tuesday. The website is a crawler developed to help identify machines which are used as botnet command and control (C&C) servers.
The companies have been working on the free service since 2015. The project originally focused on identifying C&C servers used by remote access Trojans (RATs). Malware Hunter still specializes in tracking RATs. However, the developers have included other properties to make the crawler able to detect all kinds of threats.
To discover threats, Malware Hunter conducts Internet-wide port scans. The domain tries to identity servers, routers, webcams and other devices which communicate with RATs and other malware. The crawler differs from traditional honeypots which tend to be passive. Malware Hunter has a defined strategy. In an attempt to identify malicious systems, it pretends to be an infected client and reports back to every IP on the web like C&C servers do.
The service collects scan information from Shodan and sends it to Recorded Future’s API. Malware Hunter works to provide a comprehensive analysis which can help identify threats, so that security experts can terminate the malicious operations quickly.
An early report from Shodan evidences that Malware Hunter has already been able to identify more than 3,000 C&C servers. The company revealed that the malicious servers are associated to over 10 RAT families, including Dark Comet, Poison Ivy, Gh0st RAT and njRAT.
“This methodology is the first to use Shodan to locate RAT controllers before the malware samples are found,” commented Levi Gundert, Vice President of intelligence and strategy at Recorded Future. “By doing it this way – signature scans for RAT controller IP addresses, observing malware through our API and cross-correlating it with a variety of sources – we are able to locate RAT controllers before the associated malware begins spreading or compromising targeted victims”.