Malware Hunter is the name of a brand new tool created by threat intelligence company Recorded Future and Shodan, the search engine for IoT devices. The tool is in fact an online crawler designed to block communications between malware and Command and Control servers.
Malware Hunter: What Is It and How Does It Work?
Malware Hunter continuously scans the Internet with the purpose of locating control panels for more than 10 remote access Trojans (RATs), such as Gh0st RAT, DarkComet, njRAT, ZeroAccess and XtremeRAT.
In other words, the tool is “a specialized Shodan crawler that explores the Internet looking for command & control (C2s) servers for botnets.” The tool does so by pretending to be an infected client reporting back to the command & control server.
Because the researchers don’t really know where those servers are located, the tool is designed to report back to every IP on the Internet “as if the target IP is a C2”. A positive response from the IP means that it’s indeed a C2.
So far, Malware Hunter has identified more than 5,700 RAT servers. Interestingly, over 4,000 of them are found in the U.S. The highest number of control panels was associated with Gh0st RAT.
Researchers have outlined the capabilities of this RAT. GhOst is capable of:
-Take full control of the remote screen on the infected bot.
-Provide real time as well as offline keystroke logging.
-Provide live feed of webcam, microphone of infected host.
-Download remote binaries on the infected remote host.
-Take control of remote shutdown and reboot of host.
-Disable infected computer remote pointer and keyboard input.
-Enter into shell of remote infected host with full control.
-Provide a list of all the active processes.
-Clear all existing SSDT of all existing hooks.
Let’s get back to Malware Hunter. The crawler is updated in real time, meaning that security companies and independent researchers can use it in firewalls. It can also be added to other security products with the purpose of blocking malicious traffic. In fact, blocking traffic to these C2 servers at network level is not enough as it can’t prevent attackers from getting access to infected systems.
As for the traffic signatures used to identify the C2 servers, the tool relies on research carried out by Recorded Future.
One drawback of crawlers acting like infected computers is that while scanning the entire Internet, false positives could be triggered on users’ security systems.
If you interested, you can learn more about Malware Hunter on its official website.