Researchers Scan the Web to Uncover Malware Infections

SECTOR CONFERENCE — Attackers scan the Internet for vulnerable servers and software. Security firms and universities often scan for open ports and misconfigurations. One security firm is now scanning to detect malware compromises.

In a presentation today at the Toronto-based SecTor security conference, Marc-Etienne Léveillé, senior malware researcher for ESET, outlined how the company created its own scanning capability to aid in its research of infected systems. Through its analysis of the Kobalos malware late last year, ESET figured out a two-step scan that could detect an infected system and was able to notify affected companies, he said.

While Internet scanning systems are common, Léveillé argued that being able to survey the entire Internet gives a company both context on current threats and the ability to dive into specific attacks.

"We are frequently faced with a single malware sample that we don't have a lot of context around," he said. "We don't necessarily know who the actors have targeted or the industry — this is especially true on non-Windows platforms because of the lack of telemetry on those products."

Dozens of companies and universities regularly scan the Internet to detect misconfigured devices, vulnerable systems, and exposed applications. Device search engine Shodan is perhaps the most well-known company to scan for open ports and vulnerabilities on the public Internet, but so do other organizations, such as Rapid7 through its Project Sonar and University of Michigan startup Censys, which aims to create a map of the evolving Internet of Things (IoT).

The University of Michigan, which created the Zmap tool used by most Internet surveys, isn't alone. The University of Chicago and University of Pennsylvania are among the other academic institutions that regularly scan the Internet for research purposes.

However, public services don't have the flexibility necessary for malware research, ESET's Léveillé said in an interview following the presentation.

"We did work with Censys and Shodan before, and we are grateful they dedicated resources in running scans based on the indicators we gave them," he said. "However, we wanted to be independent and not have to bug them every time we wanted to perform a new scan or do a r-scan. Using our own system enables us to also perform scans using custom modules to fingerprint malware using nonstandard protocols."

Léveillé and the ESET research team regularly take in-depth looks at malware, attempting to discover how far a particular malicious operation has spread. While the tools to stand up an Internet-wide survey are publicly available, creating a system from the ground up is not without its challenges.

The first hurdle: finding an Internet service provider that would allow scanning from its network. "Internet service providers don't like scanning of their networks, but relying on third parties to run scans for us adds overhead and limits our capabilities," he says.

Four ISPs rejected ESET's proposal before the company found a service provider willing to work with it.

Since mid-2020, ESET has used the scanning system nearly 20 times to investigate specific malware families, including research published in January detailing the Kobalos malware that infected Linux servers and a project report published in August describing multiple backdoors in Microsoft's Internet Information Server (IIS).

While other companies regularly use Internet scanning to enumerate specific devices, open ports, or misconfigurations, ESET's method is far more targeted, says Léveillé.

"We do not, at this time, regularly scan and categorize IP addresses to be part of a threat group infrastructure," he says. "[However], fingerprinting and scanning for malware command-and-control servers is something we've successfully done, so it would be possible to automate the process and enrich our existing dataset in the future."

In many ways, ESET and other organizations are in a race because they're not the only ones surveying the Internet landscape. In 2014, a group under the name Internet Scanning Project aggressively scanned Internet servers, and similar efforts have continued with the problem growing worse. Following a vulnerability disclosure, for example, scans that attempt to reveal the security issue will start within 15 minutes — and sometimes in as little as five minutes for a high-profile vulnerability, Palo Alto Networks stated in a 2021 analysis.

"The ease of scanning [has given] rise to a cottage industry of analysts and criminals who scan for vulnerabilities and infrastructure — especially in the age of ransomware," the company stated in its report. "In the past five years, attackers have perfected techniques that scale at speed."

Companies should focus on reducing their attack surface and recognizing that scans are usually the first step in attacking network devices, Palo Alto Networks advised.