Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Malware Command and Control Without HTTP

DZone's Guide to

Malware Command and Control Without HTTP

Knowing how malware is spread is a key component of fighting it. With that in mind, we look at several command and control protocols that are used to spread malware.

· Security Zone ·
Free Resource

Protect your applications against today's increasingly sophisticated threat landscape.

Malware frequently uses HTTP for communication, but it's not the only option. Neither is TCP the only IP protocol we can use. The advantage to using HTTP is that there is just so much of it. Equipment and monitoring systems are used to seeing it, an analyst analyzing it, so it just doesn't stand out. And that's the key - you want your malicious C&C traffic to blend in as much as possible, which is why we like to use common protocols that, ideally, look like they're sent to common sites. But HTTP isn't the only protocol that does this.

So analysts will look for unusual protocols, out-of-place ports, and strange domains when analyzing network traffic for malicious use. If you're a bad actor, you want to avoid all of these issues if you can help it. There are other common protocols people use on enterprise networks that aren't unusual - specifically, protocols like SIP (session initialization protocol), RTSP (Real Time Streaming Protocol) and RTP (Real-time Transport Protocol).

SIP. So SIP is commonly used to initialize VOIP calls as well as control text messaging. It's text-based like HTTP, not binary, like some other protocols. That makes it easy to parse, and easy to implement. It shares many features with HTTP in fact, including common header fields like user-agent. If on a network with VOIP integration, SIP is very, very common, and it can be encrypted with TLS to boot. Putting this all together gives you a common protocol very useful for C&C work - it can be common (not always, and not as common as HTTP, but it still may not be surprising to see). You can use it to communicate with a wide range of hosts, and you can encrypt the traffic. All in all, very useful.

RTSP. RTSP is another control protocol but it's used for video streaming. It allows systems to submit the kinds of commands you'd expect from a video system. Commands like play, pause, stop, and so on. It also has a few other commands that either support or directly address exchanging arbitrary data (either by using description fields in ANNOUNCE or DESCRIBE messages or via the SET_ and GET_PARAMETER commands). Now RTSP traffic won't be as common as HTTP on, really, any networks you'd find, but it won't be unusual either. Most corporate networks today allow video streaming from internal sites at the very least, and usually from external sites too. RTSP is almost always carried on internal IP networks though, unlike SIP messages, which in some organizations might only be found on dedicated VOIP networks (where you wouldn't expect to see HTTP traffic either).

RTP. RTP is another useful video protocol you can use for C&C. RTP is frequently seen with SIP or RTCP (RTP Control Protocol) traffic. Unlike the first two examples, RTP traffic is a data transfer protocol, not a control protocol. You'll see it anywhere you'd see web teleconference traffic, television traffic, that kind of thing. You'll see lots of it on Hotel entertainment networks, for example.

So, keep in mind, if you're looking for malicious traffic on your network, any of the protocols you're looking at could be used to carry malicious commands. In more sophisticated campaigns, you'll see multiple protocols in use (like RTP locally to a proxy, and then SIP from the proxy to an external C&C endpoint). HTTP is common, but it's not the only one you'll see used.

Rapidly detect security vulnerabilities in your web, mobile and desktop applications with IBM Application Security on Cloud. Register Now

Topics:
command and control ,malware analysis ,security ,internet protocols ,malware

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}