command-and-control server (C&C server)

Introduction

A computer that sends instructions to digital devices infected with rootkits or other malware, like ransomware, is known as a command-and-control server, or C&C server. C&C servers can be used to build robust networks of infected devices that are able to extort money by encrypting data, deleting data, or launching distributed denial-of-service (DDoS) attacks.

A C&C server could run for several years and was frequently physically controlled by an attacker in the past. Nowadays, C&C servers typically don't last long; they frequently live in legitimate cloud services and employ automated domain creation algorithms to evade detection by law enforcement and ethical malware hunters.

How does a C&C server work?

A malicious remote server, also referred to as a C&C server, needs to penetrate an already-infected system in order for a C&C attack to occur. The majority of devices, including PCs, tablets, smartphones, and Internet of Things devices, are susceptible to this kind of attack.

Attacks against command-and-control servers usually happen via the following channels:

  • Phishing emails, which deceive recipients into opening malicious attachments or links.
  • Malvertising involves embedding malicious code in digital advertisements.
  • Malicious scripts can be introduced into interactive webpages through vulnerable browser extensions and plugins, redirecting and stealing information entered into online forms.
  • Malware that installs itself directly on a device in order to start issuing malicious commands.

Once a device has been successfully invaded, a threat actor communicates with the malicious C&C server to instruct the compromised host and create a malicious network. A botnet is a malicious network that is controlled by a command-and-control server; its member network nodes are also known as zombies. Beaconing is another way that instructions or extra payloads can be sent between the infected device and the C&C server.

Additional malware is installed once the compromised host begins carrying out the commands sent by the C&C server, giving the threat actor complete control over the compromised machine.

Popular botnet topologies

A botnet is a collection of internet-connected, malware-infected bots under threat actor control. Although peer-to-peer (P2P) botnets are becoming more popular due to their decentralized architecture, which gives threat actors more control, most botnets have a centralized command-and-control architecture.

Among the most common botnet topologies are the following:

  • Star topology: All of the bots are arranged around a central server.
  • Multi-server topology: For redundancy, there are multiple C&C servers.
  • Hierarchical topology: Groups of C&C servers are arranged tier by tier.
  • Random topology: P2P botnets are used by co-opted computers to communicate.
  • P2P: Every bot function separately as a client and a server. A P2P botnet architecture lacks centralized control, making it more aggressive and difficult to detect.

A classic botnet typically comprises bots infected with a Trojan horse, communicating with a central command and control server through Internet Relay Chat (IRC). Such botnets are often employed for distributing malware or spam and harvesting sensitive data like credit card numbers. However, IRC communication is now commonly shunned due to its association with botnet control, leading cybercriminals to innovate new covert methods for C&C server communication. These alternative channels include utilizing dummy accounts on social media platforms like LinkedIn or Twitter, embedding commands within JPEG images, and concealing instructions within Microsoft Word files.

Common uses of Command and Control

Command and control servers find primary usage among organizations seeking centralized management of their network devices, facilitating efficient deployment and administration of applications and policies. Additionally, they provide insights into network conditions, aiding in monitoring performance and activity. Notably, command and control servers serve several functions, elaborated below.

1. Malware Management

Attackers are able to keep control over their malware and carry out malicious actions whenever they choose because of malware management. It enables the attacker to monitor the infection's progress and modify their attack plan as necessary.

From the attacker's point of view, there are various benefits:

  • Malware control is centralized.
  • A specific location to coordinate their attacks.
  • The capacity to keep control of the compromised device even after it has been turned back on or disconnected from the internet.

In order to stop the attacker and the devices from communicating, the security team should:

  • Obtaining the IP address.
  • Protecting the C&C server's domain name. (However, if domain generation techniques are applied, this becomes challenging.)

2. Botnet control

Botnets are collections of hosts that are under the control of malevolent actors and have been infected with malware in the era of ubiquitous computing and the Internet of Things. It has previously been established that botnets have the ability to spread malware, commit distributed denial-of-service attacks, steal data, and send spam.

Infected hosts are simply referred to as bots, while C&C servers are known as bot masters. Distributed malicious attacks can be launched via LAN or the internet against the infected hosts or other hosts that are connected, thanks to the architecture of the C&C server.

In general, there are two basic architectural structures that botnets can have:

  • centralized
  • Peer-to-peer (P2P)

The way commands are sent across the C&C channel defines these structures. In centralized botnets, bots are controlled by a central C&C server that sends commands. The botnet commands spread throughout the P2P overlay network in a P2P network.

Botnets can be used for a wide range of distributed attacks, including extortion, piracy, and distributed denial-of-service (DDoS) attacks. Botnets were originally distributed via Internet Relay Chat (IRC), even though there are a lot more attack channels for them. Attack vectors include compromised websites, file-sharing networks, malicious email attachments, and vulnerability attacks.

The proliferation of internet-connected pervasive devices gives botnets a larger attack surface and more susceptible hosts to infection.

3. Remote administration

The process of remotely managing a network or computer system is known as remote administration. With remote administration tools, system administrators can access and control systems from any location with an internet connection.

On a compromised system, however, the attacker can use remote administration tools to carry out C&C. For example, a hacker could gain access to a compromised system and use a remote administration tool such as VNC (Virtual Network Computing). After then, the malware may receive commands to carry out operations such as downloading additional malware, encrypting files, or returning stolen information to the attacker's command and control server.

Sometimes, malicious actors will use legitimate remote administration tools that have been hacked or altered. For instance, they could use Remote Desktop Protocol (RDP), a popular remote administration tool, to log into a computer and carry out C&C.

5 Common Command-and-Control Techniques Hackers Use

  1. Application Layer Protocol: To evade detection and network filtering, threat actors use application layer protocols. They transfer all information between the client and server via the protocol stream. They follow the following protocols:
    • DNS
    • HTTP(S)
    • FTP/SFTP
    • Mail Protocols
  2. Data Encoding: To make it more challenging to determine the nature of the transmission, threat actors encrypt data.
  3. Data Obfuscation: Hackers will employ data obfuscation techniques to make it more difficult for security teams to intervene. Their goal is to make it as difficult as possible to notice and understand the information. Therefore, they might use steganography, spoof legitimate protocols, or add garbage data to protocol traffic.
  4. Dynamic Resolution: The hackers dynamically establish connections to command-and-control infrastructure in order to elude traditional detection methods. The methods they employ are:
    • Fast Flux DNS
    • Domain generation algorithms (DGAs).
    • DNS calculation
  5. Encrypted Channel: To conceal command and control communications, hackers occasionally employ a well-known encryption method. Reverse engineering could occur from these implementations if secret keys are generated or encoded inside malware configuration files. The two methods that hackers could employ here are
    • symmetric cryptography
    • asymmetric cryptography

Detecting and protecting against Command and Control

In order to deal with C&C attacks, it's common practice to continuously monitor host computer activity and block known malicious domains.

1. Network-Based detection

Monitoring network traffic for indications of C&C activity is known as network-based detection. Communication patterns unique to C&C traffic between terminals and remote servers can be recognized by network-based detection technologies.

For instance, if a server is communicating with numerous terminals and transmitting large amounts of data via a specific port, it may be possible to detect a C&C connection.

The following are a few methods employed in network-based detection:

  • Network traffic analysis.
  • Deep packet inspection.
  • Intrusion detection systems.

Machine learning can also be the foundation of detection techniques. Algorithms are used in machine learning-based detection to monitor network activity and spot behavioral patterns that indicate C&C activity. They detect patterns in C&C traffic that were previously unknown and adjust their attack strategies accordingly.

2. Host-Based detection

A host's activities are tracked as part of host-based detection. It can employ tools that keep an eye on:

  • File System Activities
  • Network connections
  • System logs

For example, system logs can be used to identify unusual processes or increases in outgoing network traffic, which could indicate a C&C intrusion. Host-based detection tools include the following:

  • Host-based intrusion detection systems
  • File integrity monitoring software
  • antivirus software

This technique is based on the observation that C&C attacks often involve the installation of malware or other malicious software on specific endpoints, which can be recognized by observing the activities of those endpoints.

3. Blacklisting

Blacklisting operates in a literal manner: a list is created once malicious IP addresses, domain names, or URLs are noted. In order to lower the risk of compromise, traffic from these malicious domains is subsequently blocked using blacklisting tools. Real-time updates are also possible for this list.

Blacklisting may consist of:

  • DNS
  • Internet Protocol addresses
  • URLs (almost all internet users have encountered malicious URLs at some point).

A safer website is redirected, or the request is permanently blocked when network traffic from a blocked IP address is detected.

Real-world examples of Command and Control

1. Banking Trojan: "TrickBot"

TrickBots are frequently distributed through phishing emails and can be used to steal personal information, including banking credentials. TrickBot malware was used in several attacks against financial institutions in the US, UK, and Canada in 2019. Although security professionals and law enforcement worked together to bring down the TrickBot network, the malware's authors are still adapting and changing their tactics. Two essential defenses against this type of attack are multi-factor authentication and anti-malware software.

2. Botnet: "Mirai"

The Mirai botnet was responsible for the massive DDoS attack that in 2016 disrupted internet access throughout the United States. Malware was used to infect susceptible Internet of Things devices, creating the Mirai botnet.

3. Malvertising: "Kyle & Stan"

The 2014 discovery of the "Kyle and Stan" malvertising campaign serves as one illustration of how malicious advertisements can be presented on reliable websites in order to spread malware and steal personal data. The campaign consisted of advertisements that appeared to offer popular TV show streaming services, but when users clicked on them, a website that attempted to infect their computers with malware was displayed. The malware, which was designed to steal private data, was distributed through drive-by downloads.

How Does a C&C Server Exploit a Compromised System?

A compromised system can be exploited by a C&C server in the following ways:

1. Theft of personal information

It is possible to copy or send sensitive company information, such as financial documents, to the website of an attacker.

2. Shutdown

An attacker has the ability to disable one or more devices or the network of a company.

3. Reboot

Regular shutdowns and reboots of infected systems can interfere with regular company activities.

4. Distributed Denial of Service

DDoS attacks overwhelm servers or networks by overloading them with internet traffic. Each bot in the botnet can be instructed by an attacker to send a request to a particular IP address, clogging the targeted server's traffic. As a result, legitimate traffic to the attacked IP address is denied access, much like traffic clogging a freeway. This type of assault can bring down a website.

5. Using Fake Domains That Appear to Be Authentic

One of the most common strategies for creating C&C servers is the use of domain names that replicate the typical naming of online advertisement services or websites pertinent to a current campaign or that resemble the pattern of authentic software or email services.

How Do C&C Servers Conceal Their Location

APT organizations frequently use intermediary servers to improve the stealth and availability of command and control servers (also known as proxies). These servers serve as proxies, hiding the actual location of the Command and Control server.

One well-known method for hiding C&C locations is the use of dynamic DNS services like VoIP, DynDNS, and others. By registering domain names through these providers, attackers can stay anonymous, as no actual contact information is needed. Furthermore, IP mappings and domain names can be quickly changed in the event that the target's infrastructure blocks the original IP. Such domains enable this through short caching (TTL) settings.

Conclusion

Command and control servers have grown in popularity in recent years, allowing organizations to gain greater visibility into their IT systems and manage them more efficiently. Security administrators can monitor and control infrastructure from a single, central location, which is one of their most helpful features. This enables them to promptly detect possible problems and implement solutions before they become a problem for consumers.


Next Topic#




Latest Courses