Shodan and Recorded Future Release Malware Hunter
Security Researchers Can Easily Discover Computers Controlling Remote Access Trojans With New Specialized Crawler
BOSTON, May 2, 2017 /PRNewswire/ — Recorded Future, the threat intelligence company, and internet search engine Shodan announced today a specialized crawler for security researchers that explores the internet to find computers acting as remote access trojan (RAT) command and control centers. The crawler, dubbed Malware Hunter, provides valuable information that researchers can use to proactively identify and defend against these threats.
Malware Hunter unearths computers hosting RAT controller software that remotely controls malware-infected computers and instructs them to execute malicious activities such as recording audio, video, and keystrokes on a victim’s machine. Using command and control servers, attackers can launch widescale attacks on thousands of computers at once and hide their tracks. Malware Hunter levels the playing field by scanning the internet for the computers being used as RAT controllers, providing valuable information to researchers about the malware and attackers so malicious campaigns can be shut down quickly.
Until now, the security community has relied on passive malware collection methods, such as honeypots, malware processing, and aggregation services like VirusTotal, to identify RAT families and campaigns. Shodan and Recorded Future developed a technique which enables port scans for internet-connected devices including servers, routers, webcams, and any port listening device so researchers can find the infected computers more quickly and stop campaigns before they can advance. Information from Shodan feeds into Recorded Future’s API, which provides confirmation and data enrichment from open, closed, and technical sources for a more comprehensive analysis of the threats. This methodology has identified thousands of RAT controllers, including a massive global installation of GhostRAT controllers, since the hunting project was created with Shodan in 2015.
“The capabilities that Malware Hunter brings to security researchers and threat analysts will greatly help the community’s ability to track RAT family proliferation and other attacks and prevent them from taking the internet hostage,” said John Matherly, founder of Shodan. “We’re excited to be partnering with Recorded Future on this important project.”
Under this unprecedented Shodan partnership, Recorded Future provides RAT controller probes that Shodan uses to scan the internet at scale and record IP addresses that match known RAT signatures. Using this novel method, they’ve identified a number of RAT controller families, including Dark Comet, njRAT, Poison Ivy, and most recently Gh0st RAT controllers.
“This methodology is the first to use Shodan to locate RAT controllers before the malware samples are found,” said Levi Gundert, vice president of intelligence and strategy at Recorded Future. “By doing it this way — signature scans for RAT controller IP addresses, observing malware through our API, and cross-correlating it with a variety of sources — we are able to locate RAT controllers before the associated malware begins spreading or compromising targeted victims.”
For more information on Malware Hunter and how it works, visit: malware-hunter.shodan.io.
Shodan is the world’s first search engine for Internet-connected devices. We provide tools to help organizations keep track of their Internet-facing network assets, gain historical insights and obtain market intelligence. Shodan has developed specialized Internet crawlers to discover devices ranging from Minecraft video game servers to nuclear power plants. Discover the possibilities at www.shodan.io and connect with us on Twitter at @shodanhq.
About Recorded Future
Recorded Future delivers threat intelligence powered by machine learning, arming you to significantly lower risk. We enable you to connect the dots to rapidly reveal unknown threats before they impact your business, and empower you to respond to security alerts 10 times faster. Unlike “boiler rooms” of human analysts working manually, our patented technology automatically collects and analyzes intelligence from technical, open, and dark web sources. Recorded Future delivers radically more context than threat feeds alone, updates in real time so intelligence stays relevant, and packages information ready for human analysis or instant integration with your existing security technology. Learn more at www.recordedfuture.com. Follow us on Twitter at @RecordedFuture.