Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Shodan Tool Tracks Down Botnet Command-And-Control Servers (thestack.com)

Posted by EditorDavid on from the malware-search-engines dept.

An anonymous reader quotes The Stack: Search engine Shodan has announced a tool to help businesses hunt out and block traffic from malware command-and-control servers. The new Malware Hunter service, which has been designed in a collaborative project with threat intelligence company Recorded Future, continuously scans the internet to locate control panels for different remote access Trojans, including Gh0st RAT, Dark Comet, njRAT, XtremeRAT, Net Bus and Poison Ivy. The internet crawler identifies botnet C2 servers by connecting to public IP addresses and sending traffic which mimics that of an infected device. If the receiver computer sends back a response, that server is flagged.
The article reports that Shodan's Malware Hunter tool has already traced over 5,700 RAT servers -- more than 4,000 of them based in the United States.

5 of 11 comments (clear)

  1. The question is... by toonces33 · · Score: 1

    The question is probably unanswerable, but I would be curious to know what fraction of all of the C2 servers have they identified.

    1. Re:The question is... by Zocalo · · Score: 4, Interesting

      If you limit the C2 servers to those which they are actually capable of detecting, then probably close to 100% of those hosted on IPv4 addresses. They are currently looking for 10 different RATs, and it isn't going to take Shodan all that long to scan the entire IPv4 space given the number of scanners they run and how long it will take to probe each IP that is listening on the relevant port(s). The only thing that is really going to limit things is that it's not too hard to identify scanners like Shodan's and blacklist them, although I doubt many C2 server operators would have thought to do that and, even if they had, there are an awful lot of such scanners out there, and not all of them are on static IPs - transient hosts at VPS providers are used heavily as well.

      The real question is, now that these C2 servers have been identified - and will continue to be identified when they get relocated to alternative providers - how reactive the ISPs that are hosting them are going to be in getting them shut down. I suspect several of the "usual suspects" amongst the C2 hosting ISPs on the Shodan list are going to fail quite badly in that regard, but that's all for the good; if this results in concentrating more of the C2 servers into a smaller number of "bullet proof" hosting providers, then the case for a responsible ISP simply adding the relevant AS to a DROP list becomes *sooo* much easier to justify.

      --
      UNIX? They're not even circumcised! Savages!
  2. Easier Way to Find Them by rtb61 · · Score: 1

    Probably is a easier way to find bot servers, simply raid NSA and CIA computer centres. They have been exposed for the games they are playing.

    --
    Chaos - everything, everywhere, everywhen
  3. Re: Just two questions by arth1 · · Score: 1

    prison != jail
    Hopefully, none of them go to prison without due process.

    Maybe you should read more before you start getting inflammatory

    That's the pot calling the kettle black.

  4. Re: Just two questions by Z00L00K · · Score: 2

    Which highlights that the goal should be to identify the control server operators and take them out permanently.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.