Shodan is a tool that most security researchers are familiar with, providing a search interface to easily detect known vulnerabilities across the internet. Shodan is now getting an intelligence boost, thanks to a new partnership with security vendor Recorded Future, with a new Malware Hunter crawler.
The Malware Hunter crawler now available on Shodan can help discover systems that have been infected with a Remote Access Trojan (RAT) that is connecting to a botnet command and control node.
"If you search for an IP address that is acting as a RAT controller, you will see the available signature information on the port in question," Levi Gundert, vice president of intelligence and strategy at Recorded Future, told eSecurity Planet. "If you search 'category:malware' you will see all of the results as a category."
Gundert explained that Recorded Future and Shodan develop RAT family definitions based on profiling the traffic between a RAT and its botnet controller. Then Shodan uses the definition to send a specific request to hosts (typically on a default port plus a few other common ports), and it waits a few seconds for a response where necessary.
"If the Shodan crawler receives a specific response back, the host is tagged as a controller," Gundert said.
The way the technical collaboration works is that Recorded Future imports Shodan results via API on a daily basis and enriches the IP address results using Recorded Future's open, closed, and technical sources.
Gundert noted that he and Shodan founder John Matherly have been friends for many years. "We didn’t want to reinvent the Internet scanning wheel, and John/Shodan has been a fantastic partner to collaborate with," Gundert said.
Looking forward, the plan is to further expand the RAT definition set for Shodan to help identify even more potentially infected hosts and botnets.
"Currently Shodan crawls for 10 different families, 9 RATs, and 1 malware family – ZeroAcces)," Gundert said. "RATs are malware of course, but we try to be specific where possible. Gh0st RAT is thus far the largest family, by results, in Shodan."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.