Internet of Things search engine provider Shodan and threat intelligence firm Recorded Future Inc. have teamed up to produce a new tool that allows security vendors, companies and independent researchers to identify devices that act as botnet command-and-control servers.

Called Malware Hunter, the tool explores the Internet to find computers acting as remote access trojan virus C&C servers that remotely control malware-infected devices. Hackers use C&C servers to provide instructions to malware installations on what they should do. For example, in the case of a botnet that focuses on distributed denial-of-service attacks, the C&C server provides details on sites that should be targeted.

Malware Hunter is claimed to level the playing field by scanning the Internet for the computers being used as remote access trojan controllers. Using the information discovered, the tool can identify the malware being used to block access to the C&C server at the network level or even to bring the entire network down.

Where Malware Hunter changes the game in malware detection is that it allows security researchers to search proactively for C&C server. Current malware detection methods are “passive” in that they involve the use of honeypots and malware processing.

The tool acts as a crawler that pretends to be an infected client reporting to a C&C server. Given that the crawler doesn’t know where the C&C server is located, it pings every IP address on the Internet looking for a response and, when a response is forthcoming, it then knows that the IP address is a C&C server. The word server is used in the sense of any device that is acting as a C&C server, so it’s not only a physical server but also IoT devices such as routers and webcams that could also be hosting C&C functions.

In testing, Malware Hunter has already been successful in identifying more than 3,000 C&C servers operating 10 separate kinds of trojans, including Dark Comet, njRAT, Poison Ivy and Gh0st.

“This methodology is the first to use Shodan to locate RAT controllers before the malware samples are found,” Recorded Future Vice President Levi Gundert said in a statement. “By doing it this way — signature scans for RAT controller IP addresses, observing malware through our API and cross-correlating it with a variety of sources — we are able to locate RAT controllers before the associated malware begins spreading or compromising targeted victims”

Results from the tool can be searched from the Malware Website here at no cost, though a free Shadon account is required.

Photo: Christiaan Colen/Flickr