Investigating and Detecting Command and Control Servers
Information about the overall threat landscape can be gathered from many sources. One useful method is by looking at the overall activity of botnet command-and-control (C&C) servers, as used both in targeted attacks and in attacks against the broader Internet user base.
We are able to combine various threat intelligence sources, including feedback from the Trend Micro™ Smart Protection Network™, to get a glimpse of C&C server activity. (these are displayed in real time on the Global Botnet Map). Our findings below reflect the information we gathered throughout all of 2014. We are able to examine the location of C&C servers, the location of endpoints, as well as the malware families that use these servers.
So what can we learn from these numbers, and can IT professionals help reduce this threat?
Botnets are using more and more ways to avoid being detected.
The tables below highlights the number of servers we saw in use by various malware families:
Table 1. Servers in use by malware families (all botnets)
Table 2. Servers in use by malware families (targeted attacks only)
Some trends can be seen from these numbers:
- Malware families that use domain generation algorithms (DGAs) like CRILOCK and GOZEUS are well-represented in the list, highlighting their popularity. Despite the differences in underlying behavior (crypto-ransomware versus information stealers), DGAs are popular as they make blocking of malicious domains more difficult with relatively little added expenditure of effort on the part of attackers.
- Compromised sites are also popular C&C servers. ZeuS/ZBOT and RODECAP are both known to use compromised sites for their C&C servers, and both families are known to use this particular tactic extensively.
- Similarly, free web hosting providers and dynamic IP redirection services are commonly used by some malware families such as NJRAT and DarkComet.
- Many remote access tools (RATs) that were initially used in targeted attacks have now been used in various cybercrime-related attacks as well. This highlights the increased availability of these RATs, as well as the low entry barrier to registering and setting up C&C domains.
Taken together, these developments show how attackers are adopting more techniques to try and obfuscate the C&C servers under their control. This can make forensic analysis of these attacks much more difficult, making detection and attribution potentially problematic.
Location of Servers
Attackers’ attempts at attack obfuscation have rendered attempts to attribute attacks via C&C servers difficult, if not impossible. As a result, attribution based solely on C&C server location is not reliable. Further threat intelligence must be acquired before any conclusions about attribution can be made.
Our findings for the locations of C&C servers mirror this: most C&C servers are not located in countries thought of as cybercrime havens. Instead, they broadly mirror the broader Internet landscape: countries with plentiful infrastructure to host servers of any kind are popular with cybercriminals.
Table 3. Locations of C&C servers (all botnets)
Table 4. Locations of C&C servers (targeted attacks only)
Effects of compromised servers
Owners of compromised servers should be aware of the possible repercussions to their own networks so long as their systems are being abused to act as command-and-control servers. Some of these possible repercussions include:
Potential theft of server/organization information
A server may contain or have access to valuable company information, which may be of value to an attacker. A server that is under the control of an attacker in this manner can have this information stolen very easily.
In addition, the presence of a compromised server can be used by an attacker as a valuable jumping off point for lateral movement. A server under the control of an attacker is a valuable foothold into a network; this could lead to an even more disastrous large-scale data breach.
Disruption to legitimate services
The presence of C&C software on a server may disrupt legitimate applications, by using up CPU or memory resources normally used by legitimate functions. Normal services may be delayed, suspended, or stop running entirely.
Misuse of future resources
An administrator unaware of the scope of C&C activity within their network may invest resources into improvements that may not be justified by the company’s business requirements. Instead of helping an organization, this would instead help the attackers (as they would gain access to improved resources for their attacks).
The importance of C&C communications detection
A C&C infrastructure is a critical component of an attackers toolkit for perpetrating crime due to the need to have a dedicated connection between themselves and their victims network. This means that it is a key opportunity to break the infection chain. Trend Micro has added C&C communications detection capabilities into most of our solutions today, including OfficeScan, Deep Security, Deep Discovery, messaging and gateway solutions, since the C&C systems could be located anywhere within a network. This additional layer of protection allows our customers to identify new sources of infection and mitigate a potential breach quickly.
Cybercriminals and other threat actors have made significant advances in obfuscating the locations of their C&C servers. This means that attributing attacks to parties based only on their C&C server location is problematic; these conclusions must be made with additional threat intelligence if this is available.
This ability to hide C&C server locations is evident from our data. The location of servers broadly matches those of countries with well-developed Internet infrastructure that supports large numbers of servers.