How Does Malware Hunter Identify a C&C Server?

"RATs return specific responses (strings) when a proper request is presented on the RAT controller's listener port," according to a 15-page report [PDF] published by Recorded Future.

"In some cases, even a basic TCP three-way handshake is sufficient to elicit a RAT controller response. The unique response is a fingerprint indicating that a RAT controller (control panel) is running on the computer in question."

Malware Hunter Already Identified Over 5,700 Malicious C&C Servers

Malware Hunter has already identified over 5,700 command-and-control servers around the World. Top 3 Countries hosting command and control servers include United States (72%), Hong Kong (12%) and China (5.2%). Five popular Remote Access Trojan (RAT) that are widely being used include Gh0st RAT Trojan (93.5%), DarkComet trojan (3.7%), along with a few servers belong to njRAT Trojan, ZeroAccess Trojan, and XtremeRAT Trojan. Shodan is also able to identify C&C servers for Black Shades, Poison Ivy, and Net Bus.

Rapidly growing, insecure internet-connected devices are becoming albatross around the necks of individuals and organizations with malware authors routinely hacking them to form botnets that can be further used as weapons in DDoS and other cyber attacks.But now finding malicious servers, hosted by attackers, that control botnet of infected machines gets a bit easier. Thanks to Shodan and Recorded Future.Shodan and Recorded Future have teamed up and launched– a crawler that scans the Internet regularly to identify botnet command and control (C&C) servers for various malware and botnets.Command-and-control servers () are centralized machines that control the bots (), typically infected with Remote Access Trojans or data-stealing malware, by sending commands and receiving data. Malware Hunter results have been integrated into Shodan – a search engine designed to gather and list information about all types of Internet-connected devices and systems.You might be wondering how Malware Hunter will get to know which IP address is being used to host a malicious C&C server.For this, Shodan has deployed specialized crawlers, to scan the whole Internet to look for computers and devices configured to function as a botnet C&C server by pretending to be infected computer that is reporting back to the command and control server.The crawler effectively reports back to every IP address on the Web as if the target IP is a C&C and if it gets a positive response, then it knows the IP is a malicious C&C server.We gave it a try and found impressive results, briefly mentioned below:To see results, all you have to do is search for " category:malware " without quotes on Shodan website.Malware Hunter aims at making it easier for security researchers to identify newly hosted C&C servers, even before having access to respective malware samples.This intelligence gathering would also help anti-virus vendors identify undetectable malware and prevent it from sending your stolen data back to attacker's command-and-control servers.