Method and device for actively finding malicious code control end

The invention discloses a method for actively finding a malicious code control end, which comprises the following steps of: scanning host information, namely finding a host computer in an on-line state of which the operating system is Windows and which is provided with open ports in an IP address range needing to be scanned and determining at least one open ports of the host computer; and scanning control end information, namely establishing network connection with the open ports of the host computer, simulating a network behavior of a controlled end host computer corresponding to the known type of the malicious code control end, sending data to the host computer, analyzing the received return data, and if the data meets the characteristic of the known type of the malicious code control end, indicating that the type of the malicious code control end exists in the host computer. The method can effectively identify the malicious code control end, is suitable for large-scale scanning of the host computer in the Internet and has great practical significance for guaranteeing information security. Correspondingly, the invention also provides a device for actively finding the malicious code control end.