How Command and Control Servers Remain Resilient
September 14, 2015 – 7:53 AMOne of the ways that malware activity on a network is spotted is via the activity of their network activity. However, in many cases this can be difficult to detect: there have been incidents where command-and-control (C&C) servers were able to stay online and pose a problem for many years. This particular group of threat actors was active for more than five years, and used a single C&C server for two years.
Malware, unlike future artificial intelligence, is generally not self-aware and requires direction from an attacker to function well. That’s where C&C servers come in. While these are commonly thought of as limited to use by botnets, that is less true than it is today: many different threats require C&C servers to function correctly today, not just botnets.
Previously C&C servers were limited to IRC servers that controlled victim machines via chatroom commands. Since then, it has become essentially standard for all malware to include some form of remote control in order to perform the following functions:
- receive commands to perform directed malicious routines
- report system information for tracking purposes
- sends stolen information to an external drop zone
- allow an attacker complete control of the affected machine
The infrastructure of these C&C servers has also improved over time. Servers are able to stay in use for far longer periods of time due to the use of increasingly sophisticated techniques. C&C servers have been implemented in ways to make them resilient to take downs, difficult to detect, and disguise their origins. In this post, we describe the most popular methodologies used to circumvent security solutions and maintain control for longer periods of time, starting with the more sophisticated techniques. This may give some insight into how attackers operate and how their activities can be stopped.