One of the ways that malware activity on a network is spotted is via the activity of their network activity. However, in many cases this can be difficult to detect: there have been incidents where command-and-control (C&C) servers were able to stay online and pose a problem for many years. This particular group of threat actors was active for more than five years, and used a single C&C server for two years. Malware, unlike future artificial intelligence, is generally not self-aware and requires direction from an attacker to function well. That's where C&C servers come in. While these are commonly thought of as limited to use by botnets, that is less true than it is today: many different threats require C&C servers to function correctly today, not just botnets. Previously C&C servers were limited to IRC servers that controlled victim machines via chatroom commands. Since then, it has become essentially standard for all malware to include some form of remote control in order to perform the following functions:
- receive commands to perform directed malicious routines
- report system information for tracking purposes
- sends stolen information to an external drop zone
- allow an attacker complete control of the affected machine
Figure 1. Some malware families that have had C&C servers on cloud infrastructure servicesNeedle in a haystack: domain generation algorithms Botnets use domains generated by Domain generation algorithms (DGAs) to make detection of their server infrastructure more difficult. This technique was popularized by DOWNAD/Conficker years ago, which used it to generate and check 250 to 50,000 domains a day. This technique is designed to overwhelm traditional blacklisting solutions. Since then, malware authors have formulated different algorithms in order to generate massive numbers of domains to hide their real C&C servers. As a result, DGA-using malware families such as CRILOCK, PUSHDO, NIVDORT and Gameover ZeuS had the most C&C domains in use last year. Together with the use of fast flux DNS techniques, this obscures the locations of C&C servers across various hosts. Multi-level C&C servers A typical C&C attack uses a "simple" architecture where affected victims talk directly to servers. However, there is no need for this to be the case. First-level servers may only be a proxy that gets its commands from a second server that is "higher up" on the C&C chain. It would be analogous to a military, where lower-ranking officers get commands from higher-ranking ones. One particular advantage of this is it makes detecting the higher-level servers much more difficult. Researchers would be able to see and identify any first-level servers, but unless they were able to identify all of the network traffic of these servers they would be unable to find the location of the actual C&C server, making detection extremely difficult. Use of public registrars Another (optional) step in setting up a C&C server is acquiring a domain. (One could use just an IP address, but this makes detection and blocking of these servers easier.) The list below shows the most popular registrars where C&C domains where registered. Nothing about this data indicates that these registrars are complicit in malicious activities; the registrars on this list are all popular and well-known. It only shows that cybercriminals are also inclined to use them. The list below is based on the most popular registrars used by the active domains we have discovered and monitor:
- DynaDot LLc
- ENOM Inc
- Internet AG
- Melbourne IT
- Network Solutions
- Public Domain Registry
- Tucows, INC
- Vitalwerks Internet Solutions
Figures 2-4. WHOIS results for URLs with domain privacy (click to enlarge)Use of compromised sites The chart above notes that botnets created with the ZeuS malware kit are some of the most common uses of C&C servers hosted on cloud providers. ZeuS also uses compromised sites for some aspects of its C&C functionality, because it uses a relatively simple communication infrastructure. ZeuS downloads an encrypted configuration file from its C&C servers. This file contains all the commands and information needed by ZeuS to carry out its activities. This makes it easy for cybercriminals to use compromised sites as C&C servers, as they only need to upload their configuration file. Of course, this is still independent from the main C&C servers, which host the ZeuS control panel (and may not be hosted on compromised sites). There are multiple ways in order to compromise sites. Some of the ways that were known to be proven very effective are the following:
- Targeting web services that still use default settings. This includes weak passwords to management consoles that can easily be searched for, scanned, and hacked using brute-force attacks launched from the Internet.
- Public exposure/leakage of their code, access credentials and information. For example, developers may upload their source code into public repositories (such as Github) that exposes their information for others to view.
- Exploiting known vulnerability in web services. Zero-day vulnerabilities need not be used here; old and already patched vulnerabilities can be used perfectly well, as many websites use older, unpatched versions of software which are vulnerable to attacks. For example, the Rodecap malware (known for use in sending spam) is suspected of using C&C servers that have been compromised. It is believed that these sites were compromised because they ran outdated (and vulnerable) versions of content management systems.