When researching malware, we often find ways to remotely identify if a system is compromised, especially when looking at server-side threats. This requires thoroughly reverse engineering the network protocol of malware to understand how to properly trigger a behaviour or response that could be used as a fingerprint.
This presentation will show how we built our own scanner from scratch and overcame the challenges of performing internet-wide scans. We will present cases where our scans revealed needles in the haystack based on in-the-wild malware we analyzed and we will provide tips for anyone who wants to perform scans at scale.
Using our results, we found victims for malware families such as Kobalos, PortReuse, ModDir and several IIS backdoors. Those results helped us notify victims and gather important details about each of these threats. For one, we could identify who the victims are and if the attacks were opportunistic or really limited to a small set of targets. Secondly, when sending notifications, we can ask for additional details such as how it was compromised or how the compromised system was used by the perpetrators. Those details can enrich our research and provide better indicators of compromise to other potential victims.