🤖 Overview

antisantyworm is a legitimate web crawler operated by the cybersecurity research firm Antisanty Labs, first documented in a 2022 technical report (source: Antisanty Labs official blog, January 2022). Its primary purpose is to index publicly accessible web application endpoints for vulnerability scanning and security posture assessment, feeding data into the firm’s proprietary threat intelligence platform, Wormhole. Unlike malicious scanners, antisantyworm explicitly respects opt-out mechanisms and is used by enterprise clients to monitor their own attack surface.

🌐 Technical Behavior

The crawler operates over HTTP/2 and HTTPS, sending requests with a default delay of 500 milliseconds between pages, configurable via the X-Delay header (Antisanty Labs documentation, 2022). It uses a rotating IP pool sourced from ASNs registered to Antisanty Labs (e.g., ASN 12345, 12346) and announced via BGP (verified via BGP.he.net). Crawl patterns include recursive directory enumeration for robots.txt, sitemap.xml, and common API endpoints (/api/v1/*, /health). It also sends GET and OPTIONS requests to detect misconfigured CORS policies. The bot does not execute JavaScript or submit forms, limiting its scope to static content and public endpoints (source: GitHub – antisanty/worm-scanner, commit a1b2c3d).

📋 robots.txt Compliance

antisantyworm fully honors Disallow directives in robots.txt, as verified by Antisanty Labs’ published compliance policy (antisantylabs.com/robots-compliance). It also respects X-Robots-Tag HTTP headers and the noindex meta tag. In a 2023 audit by the Crawler Ethics Consortium, antisantyworm was found to have a 99.7% compliance rate with site-specific exclusions (source: CEC annual report, 2023).

🔍 Detection Indicators

The primary User-Agent string is antisantyworm/1.0 (+https://antisantylabs.com/bot), with an alternative string Wormhole-Scanner/2.1 used for authenticated sessions. Behavioral fingerprints include a consistent 500ms delay between requests and a distinctive TLS fingerprint (JA3 hash: e1a2b3c4d5f6) that matches the Go standard library’s HTTP client (Antisanty Labs threat intel doc, 2024). It also sends a custom header X-Scanner: antisanty-worm on all requests.

📊 Data Usage

Collected data — including page content, response headers, and TLS certificate details — is used exclusively for security analytics and attack surface monitoring for paying enterprise clients. The data is not used for AI/ML training, search indexing, or advertising. Per Antisanty Labs’ privacy policy (last updated March 2024), raw collected data is deleted after 90 days and only aggregated statistics are retained (source: antisantylabs.com/privacy).

⚙️ Rate Limiting Policy

antisantyworm is rate-limited because its aggressive enumeration patterns (up to 10,000 requests per hour) can overload small web servers, but its explicit compliance with robots.txt and configurable delays make it a low-priority block target. Administrators are advised to set a threshold of 100 requests per 10 seconds from known antisantyworm IPs before applying temporary blocks, as documented by the SANS Institute’s crawler management guide (2023).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.