Researchers Scan the Web to Uncover Malware Infections

Dozens of companies and universities regularly scan the Internet to gather data on connected devices, but some firms are looking deeper to uncover the extent of detectable malware infections.

SECTOR CONFERENCE — Attackers scan the Internet for vulnerable servers and software. Security firms and universities often scan for open ports and misconfigurations. One security firm is now scanning to detect malware compromises.
In a presentation today at the Toronto-based
SecTor security conference
, Marc-Etienne Léveillé, senior malware researcher for ESET, outlined how the company created its own scanning capability to aid in its research of infected systems. Through its analysis of the Kobalos malware late last year, ESET figured out a two-step scan that could detect an infected system and was able to notify affected companies, he said.
While Internet scanning systems are common, Léveillé argued that being able to survey the entire Internet gives a company both context on current threats and the ability to dive into specific attacks.
We are frequently faced with a single malware sample that we dont have a lot of context around, he said. We dont necessarily know who the actors have targeted or the industry — this is especially true on non-Windows platforms because of the lack of telemetry on those products.
Dozens of companies and universities regularly scan the Internet to detect misconfigured devices, vulnerable systems, and exposed applications. Device search engine
Shodan
is perhaps the most well-known company to scan for open ports and vulnerabilities on the public Internet, but so do other organizations, such as
Rapid7 through its Project Sonar
and
University of Michigan startup Censys
, which aims to create a map of the evolving Internet of Things (IoT).
The University of Michigan, which created the
Zmap tool
used by most Internet surveys, isnt alone. The
University of Chicago
and
University of Pennsylvania
are among the other academic institutions that regularly scan the Internet for research purposes.
However, public services dont have the flexibility necessary for malware research, ESETs Léveillé said in an interview following the presentation.
We did work with Censys and Shodan before, and we are grateful they dedicated resources in running scans based on the indicators we gave them, he said. However, we wanted to be independent and not have to bug them every time we wanted to perform a new scan or do a r-scan. Using our own system enables us to also perform scans using custom modules to fingerprint malware using nonstandard protocols.
Léveillé and the ESET research team regularly take in-depth looks at malware, attempting to discover how far a particular malicious operation has spread. While the tools to stand up an Internet-wide survey are publicly available, creating a system from the ground up is not without its challenges.
The first hurdle: finding an Internet service provider that would allow scanning from its network. Internet service providers dont like scanning of their networks, but relying on third parties to run scans for us adds overhead and limits our capabilities, he says.
Four ISPs rejected ESETs proposal before the company found a service provider willing to work with it.
Since mid-2020, ESET has used the scanning system nearly 20 times to investigate specific malware families, including research published in January detailing the
Kobalos malware that infected Linux servers
and a project report published in August describing
multiple backdoors in Microsofts Internet Information Server (IIS)
.
While other companies regularly use Internet scanning to enumerate specific devices, open ports, or misconfigurations, ESETs method is far more targeted, says Léveillé.
We do not, at this time, regularly scan and categorize IP addresses to be part of a threat group infrastructure, he says. [However], fingerprinting and scanning for malware command-and-control servers is something weve successfully done, so it would be possible to automate the process and enrich our existing dataset in the future.
In many ways, ESET and other organizations are in a race because theyre not the only ones surveying the Internet landscape. In 2014, a group under the name Internet Scanning Project
aggressively scanned Internet servers
, and similar efforts have continued with the problem growing worse. Following a vulnerability disclosure, for example, scans that attempt to reveal the security issue will start within 15 minutes — and sometimes in as little as five minutes for a high-profile vulnerability,
Palo Alto Networks stated in a 2021 analysis
.
The ease of scanning [has given] rise to a cottage industry of analysts and criminals who scan for vulnerabilities and infrastructure — especially in the age of ransomware, the company stated in its report. In the past five years, attackers have perfected techniques that scale at speed.
Companies should focus on reducing their attack surface and recognizing that scans are usually the first step in attacking network devices, Palo Alto Networks advised.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researchers Scan the Web to Uncover Malware Infections