Salesforce open sources malicious server scanner

Salesforce engineers have made the JARM cybersecurity tool open source, allowing users to identify malicious servers such as malware command and control (C2) infrastructure hosted on the internet.

The tool is available on the Github open source code repository and is written in Python.

It uses Transport Layer Security (TLS) to capture information the encryption protocol's Server Hello packets sent in response to client requests to establish secure data communications sessions.

The TLS Server Hello packet responses can include the operating system and version, which libraries are used and their versions, the order in which they were called, and custom configuration information.

By sending 10 TLS Client Hello packets to target servers, and aggregating the responses received, JARM produces unique fingerprints for the specific hosts being scanned.

The unique fingerprints can be used to identify malicious C2 servers configured for malware such as Trickbot, AsyncRAT, Metasploit, Cobalt Strike and Merlin.

They can also be used to quickly verify that all certain servers in a group have the same TLS configuration and to identify default applications and infrastructure.

Disparate servers on the internet can be grouped together by configuration as well, to identify if they belong to organisations like Google, Salesforce or Apple. 

The tool can also be used to build anticipatory blocklists.

"For example, a cyber security researcher or company could scan the internet with JARM, correlate known JARM results with the domain and IP history and reputation along with certificate details to build a high fidelity blocklist," the developers wrote.

"This allows the cyber security industry to move towards the possibility of programmatically building out high fidelity blocklists before the first piece of malware is even distributed, placing threat actors on the defensive for the first time in a long time."

JARM is named after the developers who wrote it: John Althouse, Andrew Smart, R J Nunnally and Mike Brady.

Tools such as JARM that identify network traffic come with ethics considerations, as the authors of a similar application, NFStream, pointed out.

"As with any packet monitoring tool, NFStream could potentially be misused. Do not run it on any network of which you are not the owner or the administrator," the NFStream authors wrote.