Over a million developers have joined DZone.

Malware Command and Control

DZone 's Guide to

Malware Command and Control

By taking advantage of weaknesses in your SSL/TLS security layers, hackers can inject malware into your system via the Command and Control infrastructure.

· Security Zone ·
Free Resource

One thing almost all malware has in common (especially more advanced varieties) is robust command and control infrastructure. Ironically, the C&C infrastructure needs to be very secure - it needs to provide appropriate reliability, solid message integrity, and some amount of confidentiality. The exact kinds of things that we need more of to avoid having to deal with these kinds of programs.

Malware campaign operators use a wide variety of techniques to implement and secure this kind of capability. These range from using Tor, TLS protected communication, single- and double-flux networks, domain name generation algorithms, domain shadowing, to hijacked proxy systems, and any combination of these approaches.

Tor, everybody already knows and loves. Tor provides some amount of anonymity to traffic by routing packets over a large, geographically dispersed overlay network. Now, Tor is not perfect, and people can certainly misconfigure it and leak real IPs. But if configured correctly, it's a great protection against discovery.

TLS is pretty well understood too. But malicious actors don't use TLS to protect their communication as much as to hide it from intercepting proxies. They don't really care who has access to their C&C traffic, as long as very specific people don't.

Flux networks use DNS registration to avoid DNS sinkholes, associating name after name with a given IP address. And they move quickly - as quickly as every 300 seconds. And they do the same kind of thing with nameservers, too, giving them even more control over accessed domains. When used with domain name generation algorithms, small programs that generate domain names that can keep malicious client software synchronized with backend flux network endpoint names, they become very difficult to block. And when they change IP addresses in tandem with name changes? Things get even worse. 

Domain shadowing is frequently used in tandem with compromised accounts. Most organizations won't block Google, so if a malicious operator uses a Google service as a C&C proxy (like, say, Gmail or Google Drive), companies are stuck until Google takes action (which, fortunately, happens pretty quickly). But compromised WordPress accounts are handy too, especially as an intermediary proxy - because why wouldn't you have multiple proxy layers, right?

These approaches are never used singly, either. They're always used in tandem. And they're very difficult to break by your average IT department.

command and control ,security ,malware ,ssl/tls

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}