Monday, August 22, 2011

GFIRST - Advanced (Malware) Command and Control - Review

Advanced Command and Control

The scope of this article is to look at some of the advanced methods of Malware Command and Control that might typically be overlooked.

Command and Control (C2) is a term that in this situation, applies to Malware and to how and when it receives it orders/instructions.

The life cycle of a typical malware incident is as follows:

  1. The malware implants itself into the victim
  2. It then makes a DNS query to a rogue domain
  3. The malware finally makes an HTTP request in order to download additional programs, etc.
Traditional Command and Control
Traditional C2 is generally easy to mitigate because:

  1. Is noisy in how it behaves
  2. Generally easy to find the IP address associated with the C2 domain because so little traffic is going TO it.

Advanced Avenues of C2 Communication
Advanced Command and Control can take the form of legitimate conversations and applications such as:


  • Twitter provides the attackers a centralized place from which to issue commands. Twitter is generally open.
  • Attackers set up a bogus Twitter profile and use Base 64 encoded strings in status messages for issuing commands to run and URLs to access


  • Similar to Twitter, a bogus profile is set up and information is passed via a Facebook "Note"

GMail Dead Drop

  • A Bogus email account is set up
  • The malware tha gets installed on the targets workstation has the account information hard coded into it.
  • Informarion for C2 is contained in a draft email that is created, but never sent. All communication is done this way, so no mail traffic can be detected, simply an SSL connection to a GMAIL server
  • When the malware logs in, base 64 code is read from the message title. Hex code is read from the body of the draft. ...RSMS Feed (Real Simple Malware Syndication)

  • Command and control information can also be received via an RSS feed. The malware makes a web request and receives it's instructions via the feed


  • A small SMTP server (sendmail.dll) can be pulled during stage 2 of a malware infection
  • Traffic goes out over SMTP (port 25) and looks like regular mail, however...

        mail.subject contains malicious information

        mail.body contains exfiltrated data encoded in hex

The timing of the malware can be such as to either execute it's instructions immediately or can wait until the user makes an Internet connection either by web browser or email client. The client then assumes that the action is legitimate and it passes undetected.

I also wanted to mention that tools like IDA and OllyDbg can be used to make investigations easier.

I hope that this brief explanation of Advanced Command and Control mechanisms for malware brings a level of awareness as to the different and out of the ordinary mechanisms that can be used.

No comments:

Post a Comment