What Is a Command and Control Server for Malware?

Command and Control Server, or C&C, is a common name for a server that is used to control the botnets – networks of computers infected with certain malware. Command servers are created by crooks, and maintained within a certain period of time – in order to manage the malware. Through these servers, malicious software receives a command to attack a specific target, download additional malware, execute certain commands or self-destruct. Actually, the entire control over botnets may be done just through a sole command server. However, the architecture may differ from one case to another, and even change within a single botnet depending on the needs of hackers.

These days, all malware attacks are performed with the use of C&C servers. Even when the initial payload is delivered manually, the further activities, like downloading additional files or payloads, should definitely be commanded from the server. The short lifespan of such servers is a trade-off for stealthiness: the less time the server is online, the less attention it attracts. Moreover, changing the servers that fast makes malware detection and blocking much harder even for advanced security solutions. Earlier, C2s that have the uptime of weeks and even months were also possible, but this practice quickly became extinct.

How C&C servers are used

As it was pointed out, most of the malware attacks that take over more than a couple of system are controlled through the C&C. The exact type of the controlled malware may be different - it may be a backdoor, spyware, ransomware, or an advanced persistent threat, that conjoins the functions of all of the mentioned. This centralized unit allows crooks to have a full control over their botnet and instantly make the corresponding changes - without any delays or intermediary chains.

Since command and control servers have a very short lifespan (usually around 30-60 minutes), it is important to provide malware with actual IP addresses of C&C servers. Older variants of botnets relied upon a constant list of addresses, which were switched at occasional intervals. Newer, in particular – P2P botnets – use dynamically updated C2 addresses. These addresses are retrieved from a web cache attached to a certain p2p network, or through a random PC present in the network. Through such an approach, crooks make it possible to have minimum manual interruptions to the attacked systems, and remain stealthy to continue their dirty actions.

Despite being actively used in the control over malware spreading, C&C servers never spread malware by themselves. Their sole purpose is to control what is happening – offer a new malware to download (by sending the server address where it can be downloaded), adjust the infected environment and the like. Exact commands, as well as the process of the server establishment, is often managed through the administrative panel. These days, a lot of malware offer admin panels as a convenient way to manage a huge network. Through this panel, crooks not only give commands to malware, but also see the stats and manage the data stolen from the infected devices. Together, C&C and the admin panel form all the infrastructure required to administer the malicious network.

Different command and control architectures

Even though the need for C&C may be the same for all cases of its application, the type of malware, its number, and other less critical details may influence the form of the command server. The architecture will have, in the end, maybe centralized, peer-to-peer, or mixed. If needed, hackers may change the structure of a server to suit the changing needs.

A centralised command and control server was a usual practice in the past years. Through those reckless times, crooks' activity has not been obstructed so heavily with IoC lists, security systems, and so forth. Its structure supposes a sole command server, which is used to control the entire botnet. Further, these connections started being blocked by security solutions, so the crooks decided to switch the IPs once a certain time period. The next attempt to circumvent the restrictions lead to other, less centralised structures.

Peer-to-peer C2 server suppose the commands spread within a botnet with P2P structure. Although it is harder to set up, detecting and defuncting that botnet is harder by orders of magnitude. Each new device in the malicious network receives the configurations not from a command server, but from one of the computers in the botnet. Aside from the visual absence of direct connection to the C&C, there is also a different way to keep the information about the further C2 address. To prevent uncovering the entire chain of IPs, there are only a couple of them kept in the malware configuration files. To obtain a new address, malware sends a request to a P2P network infrastructure, or connects to a command module located somewhere on the benevolent service.

Hierarchical server groups have some similarities with centralised servers, but also include a number of C&C servers set in a hierarchical manner. Such a structure allows the crooks to apply a constantly-running C2 (it may be necessary to have for certain cases) without exposing its IP-address. All the commands are applied through the Tier 2 command server, whose lifespan is very short – same as in all other schemes. Creating several subordinate servers gives the opportunity to rent them to a third party – other crooks who want to have a botnet under control.

Multi-server organisation of command and control servers suppose the use of several C2 servers – similar to the centralised method. However, multi-server forms make all the servers equal in their purpose. Several addresses help to avoid all possible IP filters and succeed in communication with infected systems, boosting the overall fault tolerance. Repeating the commands also helps in the case of unstable Internet connection – not a rare case when dealing with a large botnet.

What Can Hackers Accomplish Through Command and Control?

As you can see above, they can perform all kinds of operations with the software they are controlling. Using such a thing, hackers can manage some of your system settings using a backdoor, then collect the information with spyware and deploy ransomware in the end. This is the most common case of command and control server usage. Even though a lot of malware is automated these days, the unusual alterations to the security settings, as well as the use of complicated protection measures, require the interruption of a human.

The possible (and most often used) functions of command and control servers are the following:

• Data theft. Most movements of data exfiltrated from the attacked environment is performed through the command and control server. However, the exact data is not stored at the C&C, as it requires the server to be online for an extended period of time. Moreover, it should have the corresponding storage size – not a convenient option for single-use transmitters like C2s usually are. That’s why, for data exfiltration, crooks send the address of a cloud storage that will receive the data as a ping message to all the malware connected to the command and control server.
• Controlling the attacked devices. Through the commands issued by C&C, malware can force the infected devices to reboot, install or delete certain apps, adjust system settings and so on. All of these functions may be needed to apply the updates or improve the malware efficiency on the device.
• DDoS attack. The classic use of a great number of botnets, which supposes massive sending of requests to the target server. To reach higher efficiency, crooks apply different tactics – such as reflection-amplification attacks or Ping-of-Death attacks. All of the instructions should arrive at each machine in the botnet – and C&Cs are in charge of that.
• Further malware injection. In the cases when the botnet is created with the use of loader malware, access to these PCs will be used to download any other malware. The offers for such access are met here and there in the Darknet forum offers. With backdoor or dropper malware installed, the system becomes a time bomb. In the most severe cases, the situation may end up with a ransomware attack, or APT deployment.
• Products adulteration. In the case when a botnet is established inside of the corporate network, hackers can not only use these systems as they wish but also change the files stored in those systems. It is not that easy to reach the endpoint, so the action will likely take place in the system of an employee that has access to the product’s repository. In that manner, an infamous SolarWinds attack happened – hackers succeeded at injecting backdoor code into one of the minor updates the program have to receive soon after the attack.

Protection against C&C attacks

Command and control servers are the network infrastructure element - and that’s worth keeping in mind constantly as you are trying to deal with that threat proactively. Thus, you should pay a lot of attention to your network protection and, more importantly, to the dubious behavior inside the perimeter.

Set up a network monitoring system. Sure, some of the alternatives, like just closing the network from the outside connections, could work – but they are much less convenient. Working from home has spread heavily through the last 3 years, so there’s a constant need for external connections. Users need to access the files from their office workstations, interact with the software on the internal servers, and even manage the network – system administrators work from home. Simply allowing each “trusted” IP address will be a pain in the administrators’ necks and also a security concern. The best way to solve this problem is to apply network monitoring tools that constantly check the connections, behavior, and upcoming events.

In particular, botnets often use a pre-defined list of IP addresses of C&C servers. Malware analysts from all over the world collect those addresses, and then feed it into a security system. The collection of IP addresses, malware hashes and server URLs are called indicators of compromise. Seeing them in your system means that something malicious is inside of your system.

Using the advanced protective solution. Scattered protection, offered by legacy antivirus tools, is not enough to provide protection in a corporate environment. They’re just not created to prevent advanced threats and counteracting exploitation. Endpoint detection and response solutions will fit small and medium-sized organizations, as the network size (and, correspondingly, the attack surface) is not so large to control manually. For large companies, it is better to get an extended detection and response (XDR) system, which will simultaneously control endpoints, network infrastructure, and all devices connected to the network. In particular, the latter may also work as a network monitoring tool we’ve mentioned above.

Check-up the weak spots. Hackers mostly attack through well-known places named by security analysts hundreds of times. As practice shows, companies rarely listen to that advice, so you’d probably have some loose things to tie up. Set up the RDP connections through the secured port (different from the default 3389). Crooks often monitor this connection technology and never refuses to exploit such a chance. Another “traditional” weakness is outdated software – full of exploitable vulnerabilities. In particular, crooks often exploit MS Exchange, Outlook, and a pack of Adobe software. Developers are trying to find and patch all known breaches, and ignoring security updates is reckless. That advice is more about making the lateral movement harder, as they will spend more time finding a way to spread inside the network. And all this time will work for your good.