Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Botnet Security The Internet

New Shodan Tool Tracks Down Botnet Command-And-Control Servers ( 11

An anonymous reader quotes The Stack: Search engine Shodan has announced a tool to help businesses hunt out and block traffic from malware command-and-control servers. The new Malware Hunter service, which has been designed in a collaborative project with threat intelligence company Recorded Future, continuously scans the internet to locate control panels for different remote access Trojans, including Gh0st RAT, Dark Comet, njRAT, XtremeRAT, Net Bus and Poison Ivy. The internet crawler identifies botnet C2 servers by connecting to public IP addresses and sending traffic which mimics that of an infected device. If the receiver computer sends back a response, that server is flagged.
The article reports that Shodan's Malware Hunter tool has already traced over 5,700 RAT servers -- more than 4,000 of them based in the United States.
This discussion has been archived. No new comments can be posted.

New Shodan Tool Tracks Down Botnet Command-And-Control Servers

Comments Filter:
  • The question is probably unanswerable, but I would be curious to know what fraction of all of the C2 servers have they identified.

    • by Zocalo ( 252965 ) on Saturday May 06, 2017 @06:05PM (#54369013) Homepage
      If you limit the C2 servers to those which they are actually capable of detecting, then probably close to 100% of those hosted on IPv4 addresses. They are currently looking for 10 different RATs, and it isn't going to take Shodan all that long to scan the entire IPv4 space given the number of scanners they run and how long it will take to probe each IP that is listening on the relevant port(s). The only thing that is really going to limit things is that it's not too hard to identify scanners like Shodan's and blacklist them, although I doubt many C2 server operators would have thought to do that and, even if they had, there are an awful lot of such scanners out there, and not all of them are on static IPs - transient hosts at VPS providers are used heavily as well.

      The real question is, now that these C2 servers have been identified - and will continue to be identified when they get relocated to alternative providers - how reactive the ISPs that are hosting them are going to be in getting them shut down. I suspect several of the "usual suspects" amongst the C2 hosting ISPs on the Shodan list are going to fail quite badly in that regard, but that's all for the good; if this results in concentrating more of the C2 servers into a smaller number of "bullet proof" hosting providers, then the case for a responsible ISP simply adding the relevant AS to a DROP list becomes *sooo* much easier to justify.
  • Probably is a easier way to find bot servers, simply raid NSA and CIA computer centres. They have been exposed for the games they are playing.

"Call immediately. Time is running out. We both need to do something monstrous before we die." -- Message from Ralph Steadman to Hunter Thompson