A new service from Internet of Things search engine Shodan promises to find computers infected with remote access trojans (or RATs).
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
The service, Malware Hunter, is a collaboration between Shodan and threat intelligence firm Recorded Future. It scans the Internet posing as a RAT infected device and looks for the computers being used as RAT controllers. The goal is to identify compromised machines and shut down malicious campaigns that rely on RATs, Recorded Future said in a press release.
Remote Access Trojans are used to execute malicious commands on infected systems. That could be installing data harvesting software, recording keystrokes or audio and video. RAT software with names like Poison Ivy and Shady has played a prominent role in many targeted attacks and cyber espionage campaigns.
The Malware Hunter works by pretending to be an infected client that’s reporting back to a Command and Control network. Because such networks are hidden, the crawler “reports back” to every IP on the Internet, assuming it is part of a RAT command and control network. Those that respond in the affirmative are mapped.
The service is an improvement on traditional RAT identification techniques that rely on analysis of compromised systems or honeypots to identify RAT infections, Recorded Future VP of Threat Intelligence Levi Gundert argues in a paper describing the new service. By identifying hosts that match specific RAT signatures, organizations can identify those operating the RATs, many of which run off of residential ISP subnets and escape notice.