Sloppy Remote-Access Trojan Operators Show Up in Internet Scans
Researchers use Internet scans to find hundreds of home computers managing remote-access Trojans, potentially revealing the software operators' IP addresses.Cyber-criminals who misconfigure their management nodes for commodity remote-access Trojans (RATs)—software used to monitor and control other computers—can be detected by simple Internet scans, possibly revealing the operator's location, according to research published on Sept. 29 by data-analysis firm Recorded Future. The company used automated scanning service Shodan to search the Internet for default communication ports left open by six different families of Trojans, finding more than 600 likely installations of the RATs in a week, the company stated in its report. The cyber-criminals and digital Peeping Toms who frequently use commodity remote-access Trojans, and who do not change the default port on the software, have made it easy to identify the systems and their IP addresses, Levi Gundert, vice president of threat intelligence for Recorded Future, told eWEEK. "They are installing these remote-access Trojans, and as soon as they install it, there is an open port on their system that we can scan for," he said. "And when the system responds, it sends a unique text string, so it is highly unlikely that you are looking at a false positive."
While more sophisticated attackers will change the port number or, more likely, host the management console on a remote system, the study shows that some less technical criminals could be identified by law enforcement. Many of the Internet addresses appear to come from residential networks, Gundert said.