Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Shodan Tool Tracks Down Botnet Command-And-Control Servers (thestack.com)

Posted by EditorDavid on from the malware-search-engines dept.

An anonymous reader quotes The Stack: Search engine Shodan has announced a tool to help businesses hunt out and block traffic from malware command-and-control servers. The new Malware Hunter service, which has been designed in a collaborative project with threat intelligence company Recorded Future, continuously scans the internet to locate control panels for different remote access Trojans, including Gh0st RAT, Dark Comet, njRAT, XtremeRAT, Net Bus and Poison Ivy. The internet crawler identifies botnet C2 servers by connecting to public IP addresses and sending traffic which mimics that of an infected device. If the receiver computer sends back a response, that server is flagged.
The article reports that Shodan's Malware Hunter tool has already traced over 5,700 RAT servers -- more than 4,000 of them based in the United States.

11 comments

  1. Reverse Shibboleth by Anonymous Coward · · Score: 0

    Very clever, now evil-doers will have to keep track of devices they infect if they want to not be caught, which makes it even easier to prosecute when they are.

  2. The question is... by toonces33 · · Score: 1

    The question is probably unanswerable, but I would be curious to know what fraction of all of the C2 servers have they identified.

    1. Re:The question is... by Zocalo · · Score: 4, Interesting

      If you limit the C2 servers to those which they are actually capable of detecting, then probably close to 100% of those hosted on IPv4 addresses. They are currently looking for 10 different RATs, and it isn't going to take Shodan all that long to scan the entire IPv4 space given the number of scanners they run and how long it will take to probe each IP that is listening on the relevant port(s). The only thing that is really going to limit things is that it's not too hard to identify scanners like Shodan's and blacklist them, although I doubt many C2 server operators would have thought to do that and, even if they had, there are an awful lot of such scanners out there, and not all of them are on static IPs - transient hosts at VPS providers are used heavily as well.

      The real question is, now that these C2 servers have been identified - and will continue to be identified when they get relocated to alternative providers - how reactive the ISPs that are hosting them are going to be in getting them shut down. I suspect several of the "usual suspects" amongst the C2 hosting ISPs on the Shodan list are going to fail quite badly in that regard, but that's all for the good; if this results in concentrating more of the C2 servers into a smaller number of "bullet proof" hosting providers, then the case for a responsible ISP simply adding the relevant AS to a DROP list becomes *sooo* much easier to justify.

      --
      UNIX? They're not even circumcised! Savages!
  3. Just two questions by Anonymous Coward · · Score: -1

    1) Are the operators of these botnet servers in jail yet ?

    2) And if not, why ?

    1. Re: Just two questions by Anonymous Coward · · Score: 0

      1. No
      2. Nobody knows who they are. Once identified they will be in prison for a long time. The whole point of a botnet is to hide yourself and amplify your attacks.

      Maybe you should read more before you start getting inflammatory acting like it's our fault that bad people exist.

    2. Re: Just two questions by arth1 · · Score: 1

      prison != jail
      Hopefully, none of them go to prison without due process.

      Maybe you should read more before you start getting inflammatory

      That's the pot calling the kettle black.

    3. Re: Just two questions by Z00L00K · · Score: 2

      Which highlights that the goal should be to identify the control server operators and take them out permanently.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  4. depends by Anonymous Coward · · Score: 0

    If they ban a bot and I see the "magic bits" they're looking for. I just command everything to respond that way. Besides banning a bunch of IoT devices or home routers does jack dick when most of my servers are just hijack SQL servers on big name connections.

    I don't want your online banking info, the fact that Zeus never patched that RFI should tell you that.

  5. People still use Netbus? by Anonymous Coward · · Score: 0

    Moreover, people still get infected with Netbus? I remember playing with that (alongside Back Orifice and SubSeven) almost 20 years ago.

  6. Easier Way to Find Them by rtb61 · · Score: 1

    Probably is a easier way to find bot servers, simply raid NSA and CIA computer centres. They have been exposed for the games they are playing.

    --
    Chaos - everything, everywhere, everywhen
    1. Re: Easier Way to Find Them by Anonymous Coward · · Score: 0

      Seems easy enough, just have to take down som armed guards first - and then have a team taking out cops as they arrive?