This article summarizes some of the strange c&c control servers I've seen in my safe work. The design method of the controller server and the corresponding detection method, in each C&c Control service first introduces the Black Hat part is the C&C server design method for the different purposes, and then introduces the white hat part is related detection methods , let's have a look at the western set. There's a part of the white hat part of the detection method that requires some data and statistical knowledge, and I also briefly discussed the principle of using data for security analysis, from the principles of mathematics and data to think about why this can be used as data science in the field of security some examples of learning.
0x00 What is a c&c server
The C&c server (also known as the CNC server) is Command & control server, which is typically the master server of the command and control botnet botnet, used to infect each botnet with malware (malware) Host to communicate and direct their attack behavior. Each instance of the malware is instructed to attack by communicating with its C&C server, including obtaining the time and target of the start of the DDoS attack, uploading the information stolen from the host, and timing to encrypt the infected machine file.
Why malware need unsolicited and c&c service communication? Because in most cases malware is downloaded to the infected host by means of phishing emails , the attacker is not able to actively know who downloaded the malware and cannot actively know the status of the host ( Whether the power-on or not connected, etc.), unless malware actively told him, so malware will be built a set of search C&c master server method to maintain and c&c contact and disconnection re-connected. The key point of the C&c Control service is that the attacker can not deceive the defender to successfully hide the C&c service: If the defender detects a hidden c&c service, through some technology (blocked domain name and IP, etc.) or non-technical means (reporting to the Security Emergency Center, etc.) Cutting off the connection between malware and c&c can effectively destroy the botnet.
Find to C&c after malware and c&c communication mode is not the focus of this article, it can be SSH file transfer can also be a simple HTTP GET and post, the technique is not very large, A few of the techniques that are hidden by transmission, such as using DNS tunneling to hide traffic, can be explained in detail later.
0x01 IP Address: Low difficulty, easy to get caught
This is the most common type of C&c server. The attacker hardcoded the IP address of the C&C server in the code of the malware and then uses HTTP to pull the required attack commands or upload the information stolen from the host's infected machine when it needs to communicate with c&c, and so on.
This is not a high-level approach, because if the malware binary code is obtained, this IP-based method can easily be used by the security personnel to reverse engineer binary code or detect honeypot traffic to get the address of the C&C server, so as to report to the service provider blocking IP. So this method does not effectively hide the c&c service, IP was caught by the anti-virus software to update the viral database after the entire botnet was destroyed. Now most of the domestic malware of the main control server are in this way to spell luck not to be caught, they rely on the number of malware, today grabbed a day to come out three, the market competition is very fierce.
C&C servers for foreign IP are typically on cloud servers such as Amazon AWS, notifying service providers that it is easy to block IP. Domestic cloud service provider attitude ambiguous, but also is OK. Resourceful domestic malware author renting cloud service IP in Southeast Asia, can effectively avoid domestic regulation and the speed is good (I'm not teaching you to do so).
Security personnel also do not think that this method low-level think can be easily effective defense, such as if the infection machine can not install anti-virus software or you do not know the poison. A recent example is the recent linux/xor.ddos of a fire-implanted router, whose c&c control is the IP on top of AWS, because most people do not know that routers will be massively implanted with malware, and the router itself is rarely protected , it is suitable for IP to do c&c, but also eliminates the complex domain name algorithm and DNS query code to ensure that the software itself is lightweight. also due to the nature of the route itself, the routing Trojan does not have to worry about losing links, a c&c communication can be kept connected for a long time, reducing the chance that the Trojan was found. Skill is not gorgeous, but good or powerful. For a detailed analysis of the Trojan, see http://blog.malwaremustdie.org/2015/09/mmd-0042-2015-polymorphic-in-elf.html.
0x02 single c&c domain name: Less difficult, easy to get caught
Because hard-coded IPs are easily caught by a batch of regex scans within the binary code of the string segment, a workaround is to apply for some domain names, For example, idontthinkyoucanreadthisdomain.biz instead of the IP itself, scanning the binary code will not immediately find the IP field. This is a widely used method, usually the C&C domain name is very long, disguised as some personal homepage or legitimate business, and even a fake home page. Even so, this method is still a palliative, the detection method is relatively simple, the reason is:
Security vendors such as Sophos and other senior security personnel experienced, they will quickly manually locate the malware may contain c&c domain name functions, and by monitoring the Honeypot DNS query data, quickly locate the C&C domain name. These targeted domain names will be reported to other vendors, such as operators or VirusTotal blacklist .
The new c&c domain name will form some specific patterns in the DNS data anomaly detection, and it is easy to detect these new strange domain names through the data-making threat-aware vendors, and determine this is a suspicious c&c domain name through IP and other network features.
So the common c&c domain name is in the blacklist of security vendors than the speed, if it is faster than the security researcher reverse engineering, it wins, but the recent pattern is that with data-based threat perception more and more common, these c&c domain name life cycle is getting shorter, bad luck usually can not live half an hour. Attackers will also devise more complex ways to hide themselves, because registering a domain name requires a fee, such as a privacy-protected. com domain name needs a good $ dozens of, looking for a chicken implant Trojan also costs a lot of effort, was prepared to fight a half-hour result of a six-year results were sealed the outweigh the gains.
at this speed of the game, a low-cost convenient technique is to use a free two-level domain name, such as 3,322 family Ah VICP family, etc. do not review the level two domain name of the free two-level domain name provider , the most famous example is the Win32/nitol family, Microsoft relied on the court to award 3322.org ownership of their entire end (although later the domain control was to go back). This method is the domestic malware author favorite method, the data is common in some Hanyu Pinyin c&c domain name, such as woshinidie.3322.org, such as happy feeling and do not forget the advantage of the two-level domain name, may be because in China to apply for top-level domain name trouble also expensive and easy to expose identity, rather stuffy sound big wealth. You see, that's not what I'm teaching you to do.
What's really interesting is that the technology is that more advanced c&c domain names are more than one , hiding themselves through a method called fast flux.
Overview of design and detection methods for C&C control services--ddos attack, upload information from the host to steal, timed to the infected machine file encryption ransomware.