What Is a “Command and Control Server” for Malware?


A network of small blue robots representing a botnet.
BeeBright/Shutterstock.com

Whether it’s data breaches at Facebook or global ransomware attacks, cybercrime is a big problem. Malware and ransomware are increasingly being used by bad actors to exploit people’s machines without their knowledge for a variety of reasons.

What Is Command and Control?

One popular method used by attackers to distribute and control malware is “command and control,” which is also called C2 or C&C. This is when bad actors use a central server to covertly distribute malware to people’s machines, execute commands to the malicious program, and take control of a device.

C&C is an especially insidious method of attack because just one infected computer can take down an entire network. Once the malware executes itself on one machine, the C&C server can command it to duplicate and spread—which can happen easily, because it’s already gotten past the network firewall.

Once the network is infected, an attacker can shut it down or encrypt the infected devices to lock users out. The WannaCry ransomware attacks in 2017 did exactly that by infecting computers at critical institutions such as hospitals, locking them, and demanding a ransom in bitcoin.

How Does C&C Work?

C&C attacks start with the initial infection, which can happen through channels like:

  • phishing emails with links to malicious websites or containing attachments loaded with malware.
  • vulnerabilities in certain browser plugins.
  • downloading infected software that looks legitimate.

Malware gets snuck past the firewall as something that looks benign—such as a seemingly legitimate software update, an urgent-sounding email telling you that there’s a security breach, or an innocuous file attachment.

Once a device has been infected, it sends a signal back to the host server. The attacker can then take control of the infected device in much the same way that tech support staff might assume control of your computer while fixing a problem. The computer becomes a “bot” or a “zombie” under the attacker’s control.

The infected machine then recruits other machines (either in the same network, or that it can communicate with) by infecting them. Eventually, these machines form a network or “botnet” controlled by the attacker.

This kind of attack can be especially harmful in a company setting. Infrastructure systems like hospital databases or emergency response communications can be compromised. If a database is breached, large volumes of sensitive data can be stolen. Some of these attacks are designed to run in the background in perpetuity, as in the case of computers hijacked to mine cryptocurrency without the user’s knowledge.

C&C Structures

Today, the main server is often hosted in the cloud, but it used to be a physical server under the attacker’s direct control. Attackers can structure their C&C servers according to a few different structures or topologies:

  • Star topology: Bots are organized around one central server.
  • Multi-server topology: Multiple C&C servers are used for redundancy.
  • Hierarchical topology: Multiple C&C servers are organized into a tiered hierarchy of groups.
  • Random topology: Infected computers communicate as a peer-to-peer botnet (P2P botnet).

Attackers used internet relay chat (IRC) protocol for earlier cyberattacks, so it’s largely recognized and guarded against today. C&C is a way for attackers to get around safeguards aimed at IRC-based cyber threats.

All the way back to 2017, hackers have been using apps like Telegram as command and control centers for malware. A program called ToxicEye, which is capable of stealing data and recording people without their knowledge via their computers, was found in 130 instances just this year.

What Attackers Can Do Once They Have Control

Once an attacker has control of a network or even a single machine within that network, they can:

  • steal data by transferring or copying documents and information to their server.
  • force one or more machines to shut down or constantly restart, disrupting operations.
  • conduct distributed denial of service (DDoS) attacks.

How to Protect Yourself

As with most cyberattacks, protection from C&C attacks boils down to a combination of good digital hygiene and protective software. You should:

Most cyberattacks require the user to do something to activate a malicious program, like click a link or open an attachment. Approaching any digital correspondence with that possibility in mind will keep you safer online.

RELATED: What’s the Best Antivirus for Windows 10? (Is Windows Defender Good Enough?)





Source link