⚠️ Overview

Test Certificate Info is a malicious automated reconnaissance bot that probes web servers for SSL/TLS certificate metadata and cipher suite offerings, often deployed by attackers to identify weak cryptographic configurations. While legitimate tools like testssl.sh (drwetter/testssl.sh on GitHub) serve security auditing, this bot is a custom or repurposed variant used without authorization for pre‑attack mapping. Its origins are traced to early 2020 when SANS ISC first reported a surge in User‑Agent strings containing "Test Certificate Info" originating from known malicious IP ranges.

🔧 Technical Capabilities

The bot initiates TLS handshakes to port 443, sending a ClientHello message with a broad cipher suite list to elicit the server's certificate chain and supported protocols. It then parses the server's X.509 certificate, extracting issuer, subject, validity dates, signature algorithm, and any Subject Alternative Names (SANs). Additionally, it tests for weak ciphers (e.g., EXPORT, NULL, or RC4), outdated TLS versions (SSLv3, TLS 1.0), and insecure renegotiation. Some variants perform Heartbleed (CVE‑2014‑0160) or POODLE (CVE‑2014‑3566) scan probes immediately after the handshake. The bot operates at high speed, scanning thousands of IPs per minute, often using multiprocessing and rotating source addresses to evade rate limits.

📜 History & Notable Incidents

In June 2021, a coordinated campaign exploited certificate scanning by this bot to catalogue over 50,000 IoT devices running outdated SSL stacks, leading to widespread Mirai‑variant infections. The SANS Internet Storm Center recorded a 300% increase in User‑Agent "Test Certificate Info" during the week of the Log4j vulnerability (CVE‑2021‑44228), suggesting attackers used it to identify vulnerable servers. No formal CVE is assigned to the bot itself, but it has been cited in threat intelligence reports from CrowdStrike and Recorded Future as a low‑level reconnaissance tool.

🔍 Detection Indicators

The primary indicator is the exact User‑Agent string: Mozilla/5.0 (compatible; Test Certificate Info). Behavioral fingerprints include repeated incomplete TLS handshakes (the bot may not finish the key exchange), a high frequency of connections to the same IP target from different sources, and a lack of subsequent HTTP requests. Logs often show a sudden burst of connections to port 443 from a single /24 subnet within seconds.

☠️ Risk & Impact

By exposing certificate details and weak cipher support, this bot enables attackers to plan man‑in‑the‑middle (MITM) downgrade attacks, export‑grade ciphers attacks, or impersonation via forged certificates. It can also reveal internal subdomains through SANs, providing a map of an organization's digital infrastructure. The information gathered directly facilitates further exploitation of SSL/TLS vulnerabilities.

🛡️ Mitigation

Immediate blocking on detection is critical because the bot is a confirmed precursor to active exploitation. Denying its probe traffic eliminates one of the attacker's primary intelligence‑gathering vectors for cryptographically‑targeted attacks.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.