Shodan: Malware-Hunter

Shodan is an popular tool among security researchers that scans the internet looking for open ports belonging to connected devices.

In 2017, Shodan partnered with Recorded Future to proactively look for command & control (C2s) servers for botnets, specifically for remote access trojans.

Before we start, here are some definitions you should know

  • Botnet – A botnet is a collection of internet-connected devices that are infected and controlled by a common type of malware, usually a RAT
  • Remote Access Trojan – a RAT is a malicious program that includes a back door for administrative control over the target computer.
  • Command-and-control servers (C&C or C2 servers) – centralized machines that control the bots (computers, smart appliances or smartphones)

What is Malware Hunter?

Malware Hunter is a specialized Shodan tool that crawls the Internet looking for command & control servers for botnets.

It does this by pretending to be an infected client that’s reporting back to a C2 server. Since we don’t know where the C2s are located, the crawler effectively reports back to every IP on the Internet as if the target IP is a C2. If the crawler gets a positive response from the IP then we know that it’s a C2.

Why did my security controls raise an alert?

Malware Hunter doesn’t perform any attacks and the requests it sends don’t contain any malicious content. The reason your security appliance raised an alert is because it is using a signature that should only be used for traffic leaving the network (egress) but is incorrectly being applied to incoming traffic (ingress).

In other words: the security product is using a signature that was meant to detect when a computer on your network was infected and reporting back to a C2. However, the signature is also being applied to all traffic going into your network which is why it’s raising a false alert.

Source for Threat Intelligence

When Shodan is discovering ports, the tool returns banner information that is highly useful when identifying RAT controllers. RATs return specific strings when a proper request is presented on the RAT controller listening port. In most cases, a basic TCP three way handshake is sufficient to elicit a RAT controller response. The unique response is a fingerprint indicating that it’s a RAT controller

As a security researcher or analyst, you can find these malicious C2 servers using the search term ‘category: malware‘. This search will result in all of the hosts that Malware-Hunter has found to respond to their signature, effectively confirming they are C2 servers.

You can see in the image above, that on September 12, 2019, there were 417 hosts scanned matching various virus signatures such as the njRAT trojan.

You can export the data into CSV, JSON, or XML format and feed this into your SIEM or monitoring tool to configure alarms to trigger when any traffic to or from these machines is detected in logs.

IP, Banner, Timestamp of scan, Hostname, Location, OS, & Organization

Moreover, it would be proactive for network administrators to import this list into your perimeter firewall block list which would proactively block phishing campaigns before they started.

Additional Reading

Last updated for accuracy: July 27, 2020.