Internet search engine Shodan provides enterprise security teams a wealth of information about open ports on servers and other internet-connected devices. Now, as part of a partnership with threat intelligence company Recorded Future, security analysts and researchers can work with Shodan to uncover systems manipulated to control malware-infected devices.

Shodan’s specialized crawler doesn’t gather information about websites, but rather details about the connected devices, including servers, routers, webcams, and other internet of things devices. The new crawler takes the scanning a step further and actively hunts for computers that are acting as remote access Trojan (RAT) command-and-control servers. As such, it is a powerful tool for threat analysts, security operations center (SOC) teams, and dedicated security personnel within the enterprise trying to proactively identify and defend against certain types of malware families, said Levi Gundert, vice president of intelligence and strategy at Recorded Future.

“Law enforcement can also use Malware Hunter to find controllers and shut down campaigns,” Gundert said.

RAT controllers remotely control malware-infected machines by sending instructions such as recording audio, logging keystrokes, and executing commands. Malware Hunter poses as an infected computer and sends out a beacon call to every IP address on the internet as if it was looking for the command-and-control server. Anything that responds to the beacon would be considered a RAT controller, Gundert said. Malware Hunter is not waiting for malware to contact it or infect it—which is what happens with passive honeypots and sinkholes—but actively seeks responses and collects the IP address. Malware Hunter does not send additional traffic or attempt to probe the controller.