What is a Command-and-Control Server?

A Command-and-Control server is a computer or set of computers managed by an attacker remotely to conform a network of infected devices and through which to send malware or malicious commands for stealing data, infecting more devices or compromising attacker target systems.

Read along for a deep dive into the basics of command and control servers. We will explain how they are used with some real-world examples and also discuss how they can be used to streamline IT operations in your organization.

How Command-and-Control works

A command and control server typically runs on a dedicated machine that is separate from the rest of the network. This makes it easier for the administrator to centrally manage and monitor a network of computers.

It can also be used to remotely administer the network. This includes installing and updating software, managing user accounts, and monitoring activity. Sometimes, it also includes launching attacks against other networks or computers.

In order to access a command and control server, an attacker would first need to compromise the machine that is running it. If the attacker gains access, he or she will also have access to the entire network and will be able to perform malicious acts with the system and the machines in the network.

For instance, the attacker might start by infecting a computer that is sitting behind a firewall at times. This could be done using:

• A phishing email (which would have the user either follow a link to a malicious website or open an attachment that executes malicious code)
• Malicious or infected software
• Security vulnerabilities in browser plugins

Once infected, the C&C attack will establish remote, clandestine channels between the compromised host and the attacker’s C&C server.

Attackers typically use these channels to deliver instructions to the compromised devices in order to:

• Download additional malware
• Create botnets
• Exfiltrate data
• Encrypt or corrupt data
• Shut down systems or networks
• Disrupt ongoing tasks

With the channels in place and the malware running undetected on the host, the C&C server can make use of this channel to continually extract data from the infected host, send and install more infected software, and execute any other malicious command sent over by the C&C server.

The infected host can receive instructions from the C&C server to start scanning the network for vulnerabilities on other systems in order to navigate around the network.

This can result in a network of hacked hosts (known as a botnet) and completely compromise an organization’s whole IT infrastructure. These botnets receive commands from the C&C server to perform coordinated attacks.

Types of Command-and-Control

The heart of any command and control server is its ability to manage, monitor, and manipulate the systems it controls. There are three primary types of command and control servers, each with its own set of features and capabilities:

Centralized Command-and-Control

As the name suggests, a centralized architecture normally has a single server that acts as the

central point of control. This type of server is common and mostly used by large organizations that have many remote systems spread out over a wide area.

The main advantages of a centralized C&C to an attacker are:

• It is easy to set up and maintain.
• It also provides a central point that makes it easier to monitor and manage any infected devices.

Although attackers can easily evade detection by domain fluxing (continually changing the domain name of the C&C server), this type of server makes it easier for the security team to locate and shut down any external threat.

Decentralized Command-and-Control

A decentralized C&C is also a botnet architecture. It makes use of a peer-to-peer network to

communicate, thereby providing each remote system with its own point of control.

Unlike a centralized C&C:

• Decentralized C&C servers are complex and demanding to set up and maintain. A centralized C&C gives one entity command over the whole network. Since coordination and decision-making are distributed across several nodes in a decentralized system, it can be difficult to ensure that every node is cooperating with the others to meet a common goal. Implementing a decentralized C&C is challenging since it calls for proper planning and decision-making across numerous nodes. It can also be difficult to guarantee the system’s security, scalability, and stability.
• Peer-to-Peer communication may introduce delays in relaying information.

To the defense/security team, they can be a nightmare since:

• They are difficult to detect.
• The decentralized nature means that there is no way to disable the entire botnet from a single point.
• They are resilient to distributed denial-of-service attacks.

Attackers using a botnet can evade detection and shutdown by:

• Utilizing a domain generation algorithm, wherein the malware uses a formula to create a list of domains. Given this, it is harder for security to block every probable server.

Hybrid Command-and-Control

As its name implies, a hybrid C&C system integrates components of both centralized servers and multiple decentralized nodes to produce a more intricate and resilient network architecture that can be tailored to fit the needs of any organization.

In a hybrid C&C system, extra nodes that are part of a decentralized network coexist with one or more central C&C servers that manage a core group of bots. This means greater control and

coordination than a decentralized C&C.

Decentralized nodes make the network more difficult to detect and disrupt, while having various points of control allows the botnet to continue its operations even if one or more central servers are taken down.

To evade detection, attackers make use of:

• Domain fluxing, which makes it difficult for network administrators and law enforcement authorities to shut down the botnet’s C&C infrastructure. It makes use of a domain generation technique to frequently change the domain name of the botnet C&C server.

Common uses of Command and Control

Command and control servers are mostly used by organizations that need a central point of management for all devices on their network, which makes it easier to deploy and manage applications and policies. They can also be used to monitor network activity and performance by providing insights into the health status of the network. Other common uses are discussed below.

Malware management

Malware management allows attackers to maintain control over their malware and continue to carry out malicious activities at their own pleasure. It allows the attacker to track the progress of the infection and adjust the attack strategy as needed.

From this (attacker’s) perspective, the attacker has several advantages:

• A centralized point of control for the malware.
• A definite control spot for coordinating their attacks.
• The ability to maintain control over the infected device even after it has been restarted or

  unplugged from the internet.

The security team should work to prevent communication between the attacker and the devices by:

• Getting the IP address.
• Securing the domain name of the C&C server. (However, this is difficult if domain generation techniques are used.)

Botnet control

In the age of ubiquitous computing and the Internet of Things, groups of hosts controlled by

malicious actors that are infected with malware are known as botnets. The potential of botnets to cause substantial damage through distributed denial-of-service attacks, data theft, spam, and

malware distribution has already been confirmed.

C&C servers are commonly known as bot masters while infected hosts are simply referred to as bots. The C&C server architecture allows for distributed malicious attacks on either the infected hosts or other interconnected hosts over LAN or the internet.

Botnets are commonly divided into two general architectural structures:

• Centralized
• Peer-to-Peer (P2P)

These structures are defined by how commands are transmitted throughout the C&C channel. In centralized botnets, a central C&C server is responsible for sending commands to bots. In a P2P network, the botnet commands are propagated throughout the P2P overlay network.

Botnets can be used for numerous kinds of distributed attacks such as distributed denial-of-service (DDoS) attacks, piracy, extortion, and many more. Despite the fact that there are many more attack channels for botnets, they initially spread through the use of Internet Relay Chat (IRC). File-sharing networks, infected email attachments, compromised websites, and vulnerability attacks are examples of attack vectors.

The rise of internet-connected pervasive devices provides botnets with a larger attack surface and more vulnerable hosts to infect.

Remote administration

Remote administration is the activity of administering a computer system or network remotely. System administrators can access and manage systems remotely using remote administration tools from any location with an internet connection.

However, the attacker can take advantage of remote administration tools to execute C&C on a

compromised system.

For instance, a hacker may connect to a compromised machine and take over a remote

administration tool like VNC (Virtual Network Computing). The malware might then be given

instructions to perform tasks like downloading other malware, encrypting files, or transferring stolen data back to the attacker’s command and control server.

Attackers may occasionally make use of genuine remote administration tools that have been hacked or altered for malicious ends. For example, they might log into a machine and perform C&C via Remote Desktop Protocol (RDP), a common remote administration tool.

Detecting and protecting against Command and Control

One of the most common measures employed when dealing with C&C attacks is to continually

monitor the activities of host computers and blacklist/block any known malicious

domains.

Network-Based detection

Network-based detection is a technique that monitors network traffic for signs of C&C activity. Network-based detection technologies can identify C&C traffic-specific communication patterns between terminals and remote servers.

For example: A C&C connection may be noticeable if a server is using a particular port to communicate with a lot of terminals and transmit a lot of data.

Some of the techniques used in network-based detection include:

• Network traffic analysis
• Intrusion detection systems
• Deep packet inspection

Detection methods can also be based on machine learning. In machine learning-based detection, algorithms are used to track network activity and identify behavioral trends that signal C&C activity. They pick up on previously unknown C&C traffic patterns and adapt with evolving attack strategies.

Host-Based detection

Host-based detection involves monitoring the activities of an individual host. It can make use of tools that monitor:

• File system activities
• Network connections
• System logs

With system logs, for example, one can detect an increase in outbound network traffic or an unfamiliar running process that would signal a C&C intrusion. Tools used in host-based detection include:

• Host-based intrusion detection systems
• Antivirus software
• File integrity monitoring software

This method is based on the fact that C&C attacks frequently involve the installation of malware

or other harmful software on certain endpoints (which can be identified by watching those

endpoints’ activities).

Blacklisting

Blacklisting works in a literal manner: once malicious domains, IP addresses, or URLs are noted, a list is made. Blacklisting tools are then used to block traffic from these malicious domains, thereby reducing the risk of compromise. This list can also be updated in real-time.

As mentioned earlier, blacklisting can include:

• DNS
• IP addresses
• URLs (malicious URLs are one of the most common issues encountered by almost every internet user)

When network traffic is detected from a blocked IP address, the request is either permanently blocked or redirected to a safer site.

Real-World examples of Command and Control

Banking Trojan: “TrickBot”

A TrickBot can be used to steal banking credentials and other personal information, and it is often spread through phishing emails. 2019 saw a number of assaults on financial institutions in the US, UK, and Canada using TrickBot malware. Law enforcement and security experts collaborated to take down the TrickBot network, but the malware’s authors are still evolving and changing their strategies. Multi-factor authentication and anti-malware software are two crucial precautions that help prevent this kind of attack. See this blog post for more information.

Botnet: “Mirai”

The massive DDoS attack that interrupted internet access across the United States in 2016 was

carried out by the Mirai botnet. The Mirai botnet was built by infecting vulnerable IoT devices with malware. See this page for more information.

Malvertising: “Kyle & Stan”

The “Kyle and Stan” malvertising campaign, which was uncovered in 2014, is one example of how malicious advertisements can be presented on trustworthy websites to distribute malware and steal personal information. The campaign comprised ads that seemed to provide streaming services for well-known TV shows, but when consumers clicked them, they were actually taken to a website that tried to infect their machines with malware. Drive-by downloads were used to disseminate the malware, which was created to steal private data. See this blog post for more information.

Conclusion

Command and control servers have become increasingly popular in recent years, as they provide organizations with greater visibility into their IT systems and more efficient ways of managing them. One of their most useful features is that they give security administrators the ability to monitor and manage infrastructure from one centralized location. This allows them to quickly identify potential issues and take corrective action before it becomes an issue for the consumers.