Вы находитесь на странице: 1из 39

Command & Control

Understanding, Denying and Detecting

Joseph Gardiner
Marco Cova
Shishir Nagaraja

February 2014

In collaboration with Lastline, Inc.

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014


One of the leading problems in cyber security today is the emergence

of targeted attacks conducted by adversaries with access to
sophisticated tools, sometimes referred to as Advanced Persistent

individuals and aim at establishing a continuous and undetected

presence in the targeted infrastructure. The goal of these attacks
is often espionage: stealing valuable intellectual property and

against targeted attacks is a challenging task. In this report, we restrict

at the Command and Control (C2) channel establishment, which, as

we will see, is an essential step of current attacks. Our goals are to
understand C2 establishment techniques, and to review approaches
for the detection and disruption of C2 channels.

attacks are performed. This knowledge is foundational to understand

We then investigate the “mechanics” of C2 establishment: we provide

a comprehensive review of the techniques used by attackers to set up
such a channel and to hide its presence from the attacked parties and
the security tools they use.

Finally, we switch to the defensive side of the problem, and review

approaches that have been proposed for the detection and disruption
of C2 channels. We also map such techniques to widely-adopted
security controls, emphasizing gaps or limitations (and success
stories) in current best practices.

We would like to acknowledge the help

and support of CPNI in researching this
topic and producing the accompanying

University of Birmingham | CPNI.gov.uk PAGE 2

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

Executive Summary

Formation and use of a Command and strategies, it is critical to gain a thorough to

Control (C&C) system is an essential part
of remotely-conducted cyber attacks. followed by manual tuning of monitoring, the network (normal communication
C&C is used to instruct compromised detection, and response infrastructure at patterns, data exchange volumes,
machines to perform malicious activity - periodic intervals. etc.). This measure can be
C&C can also be used as a channel over The following is a checklist of measures implemented by determining
that help detecting and denying C&C in
show that cyber attacks are widespread your organisation. (e.g., hour, day), internal devices,
across all sectors and that preventing and network services.
Detect known-bad network activity
alternative consists of detecting and
against the established baselines
disrupting the C&C channels used by
to identify deviations that may
identify activity that is known to be
be indicative of C2 activity. Pay
caused by an active C2 channel.
particular attention to anomalies
a successful attack (e.g., preventing
to identify such as periodic beaconing, surge
sensitive data to being leaked).
internal devices that attempt to
contact domains that are known suspicious network behaviours.
to be involved in C2 activity. This
For example, C2 activity that
Attackers experiment with alternative
strategies to build reliable and robust data for patterns of fast-changing
C&C infrastructures and to devise nameservers logs) and matching
associations between domain
stealthy communication methods. of requests against one or more
names and IP addresses; DGA-
blacklists of malicious domain
architectures and communication names.
data by use-and-discard patterns
techniques have emerged. For example, to identify internal
attackers have used centralised devices that attempt to connect may be detected in Net-Flow data
architectures, based on the standard to end points that are known to by unusually large volumes of data
IRC and HTTP protocols. More recently, be involved in C2 activity. This exchanges.
they have introduced decentralised measure involves collection of IP
architectures based on P2P protocols, These measures enable the detection of
C2 channels that are set up by never-
enabling NetFlow and sFlow
seen-before malware families and that
collection in routers) and matching
have been substituted by encrypted do not re-use any known malicious
of communications against one
channels, where attacker’s commands infrastructure.
or more blacklists of malicious IP
and stolen information cannot be addresses. Deny C2 activity
readily accessed. To make channel
to identify Architect and operate the network in
attackers also use covert communication content that matches known
denied or greatly impaired.
request/responses signatures). This
to separate
occur through pages and images on measure involves collection of full
values (e.g., front-facing, publicly
servers vs. internal hosts storing
communication, such as Tor.
sensitive documents).
to slow
C&C detection and disruption These measures enable the detection
of C2 channels that are set up by
or un- trusted endpoints.
A variety of techniques for the detection known malware families, leverage
and disruption of C&C channels have known infrastructure, or employ known
been proposed. They typically rely on communication techniques.
the automated monitoring and analysis that may be used to piggy back
Detect anomalous network activity
C2 activity (e.g., anonymisation
networks, P2P overlays, social net-
anomalous communication patterns. identify activity that deviates from the works).
The importance of human involvement
in this activity cannot be overstated. monitored network.
As attackers constantly adapt their

University of Birmingham | CPNI.gov.uk PAGE 3

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

Executive Summary

Start small, measure, and scale up:
security controls can be applied itertively,


We are currently in the middle of a step in which a compromised system based on a com- prehensive review,
computer security crisis: the number of establishes a Command & Control systematization, and contextualization of
attacks, their sophistication and potential channel (C2), i.e., a communication the substantive work in this area, done
impact have grown substantially in the channel with the attackers through which by both the academic and commercial
last few years. In particular, it can receive further commands or can community. For the academic work,
, sometimes also called advanced send any stolen data. we focus our attention on publications
persistent threats (APTs), have emerged Blocking an intrusion in the C2 appearing in top conferences and
as today’s most challenging security step has several advantages. If no

individuals or organisations with the targeted organisation limits its damage

review publications at conferences such
data, such as contracts, business the organisation’s systems has been
plans, and manufacturing designs. compromised, its most valuable and blog postings authored by the main
They typically employ extensive assets (e.g., intellectual property and security vendors. Whenever possible,
reconnaissance and information R&D plans) are still intact. Even in the we emphasise practical considerations
gathering to identify weaknesses in event of successful data stealing, an extracted from these works, with the
the target’s defences, and rely on understanding of the C2 structure could hope that they may lead to better
sophisticated malware to perform the prove essential to determine what has defence mechanisms to be deployed.
intended actions (e.g., locate and steal been stolen and where it ended to. In The rest of the report is organised as
sensitive documents within the target’s addition, the analysis of the C2 channel follows: we start by covering some
network). may provide indications useful to background
Because of their nature, targeted attacks material on Command & Control
people, which may facilitate legal actions (section C). We then review in detail the
in- trude and take control of the target’s against them. techniques that attackers use (or may
systems, they may use 0-day exploits The overarching goal of our study is to use) to create and maintain C2 channels
[11] or other malicious code that is understand the techniques of Command (section D). We review approaches
and Control in order to improve our that have been proposed to detect C2
mechanisms used by the target. They defensive approaches. We will examine channels and disrupt them (section
may also rely on carefully-crafted social C2 activity both from the attacker’s E). Finally, we revisit security controls
engineering techniques to “exploit the perspective that are commonly adopted by organ-
human”, that is to convince unsuspecting and from the isations to spotlight those that are more
users within the targeted organisation defender’s perspective likely to successfully identify and disrupt
to perform unwanted activities, such as . C2 activity, and to identify any gaps in
installing and running malware. Having an understanding of both sides the current best practices (section F).
An additional line of defence against of the problem (attacks and defences)
targeted attacks is the detection and is key to understand what attackers are
disruption of individual steps that are currently capable of doing (or might do
essential for the successful progression in the future) and what defences may be
of an attacks. This is the so-called
kill chain approach [19]. Of particular Our approach to the problem of
interest for a defender is identifying the understanding and combating C2 is

University of Birmingham | CPNI.gov.uk PAGE 4

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

The Command and Control Problem

actual attack code and a “cashier” for Control is the increasingly targeted
of an attack where the compromised the monetization of stolen data. Less nature of attacks. Cyber crime activity is
system contacts back the attackers to advanced groups can rely on the wide typically opportunistic: attackers cast a
obtain addition attack instructions and to availability of commoditised attack wide net and are happy with any target
send them any relevant information that tools, such as pre-packaged exploit kits they can capture. More sophisticated
has been collected up to that point. To [41] or phishing kits [24], which simplify attacks, on the contrary, take aim at
really understand C2 activity, we need to considerably the steps required to launch
review a number of aspects that, taken relatively sophisticated attacks.
together, characterise today’s attacks. Notably, the activity of these groups is compromise them.
In particular, we will examine the factors This change in the mode of attacks
that shape the current attack landscape to active underground markets, where has several important consequences.
malicious code, stolen goods, tips and Attackers do not simply move from one
. We also review the actual way tricks are exchanged or sold [35]. An potential victim to another, in search of
in which the attacks attacks are carried overview of cyber crime evidence for the the system that, being least defended,
out ( UK has been recently published [76].
and the reasons why C2 activity is a Traditionally, criminal groups have attackers focus relentlessly on their
critical step in these attacks. Then we selected target.
look at the available data on targeted data, such as credit card numbers and
attacks to quantify them and to learn online banking account credentials, change. In particular, the attack life-cycle
which can be easily monetized. This includes a reconnaissance phase in
before reviewing notable cases of activity has been referred to as “cyber which the target’s security posture and
targeted attacks. crime”, since it replicates traditional the defensive tools it uses are carefully
criminal activities (such as money examined and analysed to identify
C.1 Attack Landscape stealing and fraud) in the online domain. possible weaknesses [73]. In addition,
However, more recently attackers have a targeted compromise attempts to
increasingly targeted sensitive data establish its presence on the victim’s
with an adversary. As the adversary’s systems for as long as possible, so
motivations, drivers, or technical means on acquiring intellectual property,
change, so does the entire security such as manufacturing designs, legal over time. Consequently, the life cycle
landscape. We posit that changes in contracts, etc. These attacks can often commonly includes phases in which
cyber attacks that have occurred lately the intruder moves “laterally”, i.e., gains
and commercial espionage. access to additional systems, and
against them) are largely the result introduces techniques to main- tain
changes to attackers’ motivation is the the attackers’ presence in the intruded
techniques and behaviours of attackers. system.
We focus here on three main thrusts: term are denoted attacks that, for their Actual attack artefacts, for example,
changes in attackers’ motivations, the scope, objectives, and cost, are likely to malware samples or network-based
increased targeting of attacks, and their attacks, tend to become unique: they
use of evasive techniques.
two typical goals: the systematic and thus, are less likely to be reused in
Motivations comprehensive espionage of other other attacks. This is problematic for
nations’ entire economic sectors with the security tools, which sometimes use
The motivations of attackers have objective of gaining strategic advantage the observation of the same suspicious
changed substantially, transforming their [13], and the sabotage of critical national artefact in multiple locations as an
activity from a reputation economy to infrastructure, such as power plants indication of maliciousness, and for
a cash economy [37]. Long gone are and transportation control systems. security companies, which may prioritise
the days when attacks were performed The impact and consequences of these the investigation of novel attacks and
predominantly by individuals with the attacks have led some commentators artefacts based on their prevalence.
intent to display their technical skills to discuss the possibility of cyber wars
and to gain “street credibility”. The last [18]. The most well-known example of to develop signatures to match these
ten years have seen instead the rise rarely-seen artefacts.
of criminal groups that use Internet- believed to be created by the United

Criminal groups can be well-organised facility in Iran [69, 106].

and technically sophisticated. They can
often rely on specialised “contractors” Targeted Attacks

example, they may include a computer

programmer for the development of relevant to our study of Command and

University of Birmingham | CPNI.gov.uk PAGE 5

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

The Command and Control Problem

Evasions suppresses the execution of malicious analysis systems (virtualised, emulated,

functionality or simply terminates or physical machines), even those that
The last aspect of modern attacks that [8]. The way in which the checks are are fully transparent. This technique
we want to discuss in detail is their implemented depends on the type of simply leverages the fact that, to analyse
increasing use of evasive techniques. malware analysis system that is targeted. a large volume of programs, an analysis
Attackers want to stay under the radar One class of checks inspects the runtime system must bound the time it spends
for as long as possible, to avoid being environment to determine whether an executing a single sample to a limited
detected or raising alerts. To achieve analysis tool is present. Often, such time (in the order of few minutes). To
this, they adopt a number of measures make things worse, malware authors can
often craft their programs so that their
analysis tools. A second class of checks execution in a monitoring environment is
of a number of traditional defence exploits characteristics of the execution much slower than in a regular system (by
mechanisms. a factor of 100 or even more).
a real host and a virtualised environment
Evading signatures [2, 33, 34, 105] or an emulated system Evading reputation systems
[74, 88, 98] (which are frequently used
Traditional defence systems (such to implement the analysis sandbox). For Another defensive approach that has
as traditional anti-virus and intrusion these checks, small variations in the gained traction in the last few years is the
detection systems) often rely on semantics of CPU instructions or timing use of reputation information for network
signatures to detect attacks or malicious properties are leveraged to determine entities (servers or domain names). The
code. A signature characterises a known whether a malware process is run in an idea is that if a client attempts to contact
emulator or a virtual machine (VM). a domain or server with poor reputation
example, in the context of malware, a As another evasive technique, malware it should be stopped, since that will
signature could be a regular expression may execute its malicious payload or stop also its exposure to potential
that matches the bytes found in a malicious activity. Reputation data is
often compiled into blacklists, i.e., list of
a number of obfuscation techniques domains and IPs that should be avoided,
have been proposed (and are used For example, a malware program may and distributed to devices that enforce
extensively) to counter signature-based the blocking of elements on the blacklist.
detection. For example, polymorphism is exist on a machine and only run parts For example, devices that may use
a technique that enables an attacker to of its code when they do. Other triggers
mutate an existing malicious binary and require that a connection to the Internet
create a completely new version from Malware authors have a crude but
it, which retains its original functionality mutex object not exist. Other malware
but is undetected by current signatures blacklists: they can use a certain server
[52]. The anti-virus vendor Kaspersky range, when run by a user with a hard- or domain for malicious purposes only
recently reported detecting more than 2 coded username, or if the system has for a very limited amount of time. After
unique malicious samples per second, been assigned a precise IP address. its IP or domain name is “tainted”, that
likely the result of extensive application Furthermore, some malware listens for is, has entered one or more blacklists,
of polymorphic techniques [64]. certain commands that must be sent it is simply abandoned and no longer
over a control channel before an activity used. This strategy imposes additional
Evading dynamic analysis systems is started.
In the next step of the arms race, (they need to register new domain
To overcome the limitations of signature- malware authors have started to names or manage new servers with high
based analysis of malicious code, introduce stalling code into their
researchers use dynamic analysis tools, Recent data from researchers at Google
also called sandboxes [31]. These tools is executed before any malicious shows that this strategy is in fact already
execute a binary in an instrumented behaviour, regardless of the execution well in use: they studied domains hosting
environment and classify it as either environment. The purpose of such exploit kits used in drive-by-downloads
benign or malicious depending on the evasive code is to delay the execution and found that their median lifetime is
observed behaviour. of malicious activity long enough so that
To thwart automated dynamic analysis, the automated analysis system stops the blacklist should be able to detect the
malware authors have developed a analysis having observed benign activity malicious domain and distribute this
number of checks (so-called “red pills”) only, thus incorrectly concluding that the knowledge to all the enforcement
to detect the presence of malware program is non-functional or does not devices before the domain has been
analysis tools and popular sandbox execute any action of interest. Of course, abandoned.
environments. When the malware on a regular system, the malware would
detects indications that a malware perform all of its malicious behaviour,
analysis system is present, it typically

University of Birmingham | CPNI.gov.uk PAGE 6

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

The Command and Control Problem

C.2 Command and Control Reconnaissance organisation. Attackers also collect

information about key people in the
This is where the attacker learns more targeted organisation, for example by
combing through data available on social
We have seen that today’s attacks are
weaknesses that will be exploited during media websites: this information will
targeted, evasive, and aim at obtaining
the actual attack. The reconnaissance be used to facilitate later stages of the
activity encompasses both computer attack.
these attacks carried out in practice?
systems and individuals. Attackers
naming may vary across publications examine their target’s networks
[19, 55, 73], the literature agrees on the and systems by using traditional
general structure of targeted attacks, methodologies, such as port scanning
which is commonly represented as a and service enumeration, in search of
sequence of steps similar to those of
Figure 1. that could provide an entry point in the

Figure 1: Targeted attack life cycle

Reconnaissance Initial Command and

Compromise Control

Initial compromise language, that exploits vulnerabilities in collect, and encrypt information stolen
the user’s browser or in the browser’s from the victim’s environment. The
This stage represents the actual plugins. If successful, the exploit information is then sent to the attackers,
intrusion, in which attackers manage downloads malware on the victim’s commonly through the same C2 channel
to penetrate the target’s network. Most machine, which as a consequence, that was established earlier.
frequently, the method of compromise becomes fully under the control of the
is spear phishing. A spear phishing attacker [92, 96]. been a key step in opportunistic attacks
message may contain a malicious as well and it has been well documented
attachment or a link to a malicious web Command & Control in the literature. For example, studies
site [125]. Often times, the content of of the data stolen (or “dropped”) by
the spear phishing message are tailored The Command & Control phase of the the key loggers components employed
based on the information acquired during attack is the stage where adversaries in banking trojans have reported on
the reconnaissance stage, so that they leverage the compromise of a system. the amount of data being transferred,
appear credible and legitimate. More precisely, compromised systems its estimated value, and the modus
A second common method of intrusion are forced to establish a communication operandi of their operators [50].
is the strategic compromise of websites channel back to the adversary through Furthermore, researchers have sinkholed
of interest to the victim (or “watering which they can be directly controlled. or hijacked entire botnets with the goal
hole” attack). In these attacks, attackers The C2 channel enables an attacker of gaining an inside view of the data
place mali- cious code on sites that are to establish a “hands-on-keyboard” stolen from infected machines and the
likely to be visited by the intended target: presence on the infected system (via operations of botmasters [114]. With
when the target visits the compromised so-called remote access tools), to install
website, she will be exposed to one or additional specialised malware modules, seen in these traditional attacks, we
more exploits. Watering hole attacks and to perform additional malicious expect targeted malware to expand
represent an evolution of the traditional, actions (e.g., spread to other machines
opportunistic drive-by-download attacks or start a denial of service attack). activity and its infrastructure.
[95, 97], in which victims are attracted,

page. The web page contains code,

In this stage, the attackers extract,

University of Birmingham | CPNI.gov.uk PAGE 7

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

The Command and Control Problem

security vendors have often been targeted attacks. We do not, instead,

scrutinised for issues of over-reporting, include in our review reports that only
which increases the perception of the describe the attacks in general. For the
attack models discussed in the literature, risk involved with security threats and
to avoid distracting the attention from potentially favours the sales of a vendor’s reasons we have discussed, the statistics
the main purpose of this study: the product. To further complicate the matter, reported here should be approached with
Command & Control phase. More a healthy dose of caution, in particular
detailed descriptions of other phases with regard to their ability to support
may be useful for readers focusing on general inference about targeted attacks;
other steps of the attack chain, such as Recent legal developments may help but they still provide a snapshot, an initial
the initial compromise. the collection of meaningful security quantitative look into targeted attacks,
In particular, Hutchins et al. [55] metrics: in the last few years, disclosure
emphasise the steps required to perform laws have been introduced requiring as their pervasiveness and their usual
businesses to report security incidents targets. We hope that in the future more
phases named Weaponization, Delivery, involving the theft of personal data and better data on targeted attacks
will be available, enabling more robust
focus on the C2 stage, we group all collection of attack metrics available, but quantitative analysis of this phenomenon.
these phases under the generic Initial
Intrusion label. incident types and geographic areas. Mandiant Report
Mandiant’s report [73] emphasises Collecting sound statistics for targeted
instead the steps performed by attackers attacks seems especially challenging: Mandiant is a security vendor providing
after the initial compromise and leading this activity shares some of the same incident management products and
to a persistent presence inside a target’s problems found with quantifying cyber services to large institutions. Due to
network. After a stage named Establish attacks in general and it adds a few their business focus, Mandiant has built
Foothold, the authors present a cycle a reputation of dealing with targeted
of steps (Escalate Privileges, Internal domain: attacks. They publish a yearly report with
Recon, Move Laterally, and Maintain
Presence) that enable attackers to The victims of targeted attacks are latest available report covers data from
establish an expanded foothold inside likely not willing to disclose the 2012 [72].
the target’s network. The authors information that they have been
point out that these steps are optional attacked or, worse, breached. This the general problems we have discussed
and may not occur in all attacks. We knowledge may be embarrassing earlier. In particular, the sample size
consider these activities to be part of the with customers and regulatory (the number of incidents) used as the
compromise phase. agencies, and the disclosure details
may provide useful information to
competitors (e.g., information about
C.3 Statistics
new product lines). Even more Mandiant’s customers) are a sample set
problematically, as we will see, representative of the general population.
It is notoriously hard to obtain adequate
targets may not know for a long time Nonetheless, the report contains a
statistics on information security in
that they have been attacked. number of statistics that are worth
general, and to measure the volume and
Targeted attacks span vast sectors
impact of cyber attacks in particular.
of the economy, therefor, it may be characterisation of targeted attacks.
First, it discloses that only 37% of the
vendor or governmental agency) to intrusions were discovered by the victim
[27] commissioned by the UK Cabinet itself: in the remaining cases, the victim
the problem.
estimates for cybercrime’s annual cost to law enforcement, customers, security
the UK [4]. vendor). The median time during which
as a targeted attack and for the attackers are able to maintain a presence
The sources of data on cyber attacks
reporting methodology. It is not in the intruded network is reported to
have traditionally been surveys and
unusual to encounter descriptions 243 days, well over 8 months. They also
telemetry collected by security vendors
of targeted attacks from one vendor report that in 38% of the cases, attacks
across their installation base. Both
that other vendors classify as are repeated, supporting the notion that
sources have their own issues [5]. For
traditional attacks. attackers are persistent once they have
example, surveys often introduce bias
by collecting most of their responses
Even with these caveats in mind, we The list of targeted sectors include:
from large companies, which have the
present here a number of statistics from aerospace and defence (17% of the
resources to collect the data requested
by surveyors. In turn, statistics from cases), energy, oil, and gas (14%),
that provide (aggregated) data about

University of Birmingham | CPNI.gov.uk PAGE 8

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

The Command and Control Problem

and hardware (8%), legal (7%), media 2011 compared with 27% of 2012): it is Ability to detect
(7%), telecommunications (6%), not clear if these changes are an artefact
pharmaceutical (4%), other (25%). The of the data collection and analysis There seems to be support to the notion
report does not elaborate on how the process or correspond to actual changes that attacks in general, and especially
in the tactics of attackers. targeted ones, remain unnoticed
for a long time. This indicates that
organisations do not have appropriate
controls, tools, and processes to
Verizon identify the presence of intruders in
their network. Unfortunately, we do not
company, focusing on virus protection.
The telecommunication company possess enough data to conclusively
They publish a yearly report on the status
Verizon publishes a yearly report on point to the precise reasons for why this
of Internet security; the latest available
data breaches. The last available report occurs: in particular, it may be result of
data covers the year 2012 [120].
at the times of writing covers 2012 factors ranging from cultural ones, such
The report investigates targeted attacks
and contains data compiled from 19 as the lack of appropriate awareness to
on the basis of the targeted malicious
organisations for a total of of more than
47,000 security incidents [127]. mentality), to technological reasons, such
products. In total, the analysed dataset
The report has a more general scope as the unavailability (real or perceived) of
comprises about 55,000 attacks. The
methodology used to discriminate than those discussed so far (it covers
data breaches in general), but it does The failure to detect intrusions for
whether a malicious email is targeted
provide some useful insights on targeted months, if not years, also implies that
or opportunistic is intuitively presented,
attacks. The report is characterised by a attackers have a long time to carry out
but there is no detailed description
careful methodology, which is explained their attacks, compounding the damage
of the algorithm used to make this
determination. in detail.
the same time, from a defensive point
is that 25% of the breaches they report of view, it shows an imbalance between
observing a number of targeted attacks
two common defensive strategies
per day ranging from 50 to about 225.
The report warns that one large attack the elusive nature of attacks (targeted
or not): 69% of breaches were spotted kill chain: defending by preventing the
campaign in April against a single target
by an external party (9% customers), intrusion and defending by detecting
and 66% of the breaches took months an intruder. More precisely, detecting
and, thus, has been removed from the
or even years to discover. Another the initial compromise requires to catch
presented results: while a reasonable
interesting observation is that, in most and identify the individual event that
course of action, this observation
cases, the initial compromise does not leads to the intrusion (e.g., the receipt
questions the sample size and
generalizability of reported data. require sophisticated techniques; in 68%
Also in this case, the report lists the
targeted sectors: manufacturing (24% and less than 1% as “high”. More
worryingly, subsequent actions may be point of time, and, lacking forensics
more sophisticated: 21% are high and capabilities, its detection requires that
real estate (19%), other services (17%),
government (12%), energy/utilities (10%), 71% are low. Unfortunately, the report
does not break down these statistics tool (e.g., intrusion detection system or
services professional (8%), aerospace
between targeted and opportunistic anti-virus tool) is capable of performing
(2%), retail (2%), wholesale (2%), and
attacks. the detection. Intuitively, detecting the
transportation (1%).
presence of an intruder may instead
The report also comments on the size of
happen at any time after the intruder has
the targets: 50% of the attacks targeted Discussion
established a presence in the target’s
large organisations (those with 2,501
network, during which time defensive
employees or more), 31% small and As we have anticipated, the available
tools may be updated or improved. This
medium business up to 250 employees. data is unfortunately somewhat limited
The analysis of the malicious email and the reporting methodology used
attack and defence: while detecting the
dataset also provides some insight into
initial compromise requires that defence
the targets of the initial compromise: described. This limits our ability to make
R&D personnel (27% of the attacks), generalizations on the basis of the data
single missed detection may lead to the
sales (24%), C-level executives (17%),
compromise), to detect the intruder’s
and shared inboxes (13%). Interestingly, However, there are several points that
the report points out a handful of are worth discussing, keeping in mind
makes a single mistake, revealing its
our objective of designing and deploying
data (for example, R&D personnel used better defences against targeted attacks.
to be targeted only 9% of the cases in

University of Birmingham | CPNI.gov.uk PAGE 9

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

The Command and Control Problem

Targets that highlight the importance of C2 existing defences at the perimeter:

detection. More precisely, we include “Attackers no longer go after our
a set of cases that have been publicly
targeted sectors. This could certainly be The Times also reported that of the 45
a result of the selection biases inherent malware samples used in the course of
in each source. However, what we can impact. We also include a set of cases
conclude by looking at the target lists that were provided by Lastline, a security by the journal’s anti-virus tool, whose
provided, for example, by Mandiant and company providing solutions to defend vendor later issued a statement reading
against advanced attacks. These cases, “We encourage customers to be very
of the economy may be the target of opportunely anonymised to protect the aggressive in deploying solutions that
attacks. Also relevant is the observation identity of the targeted organisations,
that an organisation size is not a are based on Lastline experience “in the Anti-virus software alone is not enough.”
predictor for being attacked or not: trenches”, working with its customers, [122].
organisations of any size, from small
businesses to large corporations, have of attacks or to problems with existing
been attacked in the past. security approaches. Military espionage
In our context, this observation has
important consequences. From an Political espionage
organisation point a view, the results and
recommendations that we provide in this In January 2013, the New York Times Board for the Pentagon was leaked to
report should be generally applicable. publicly denounced that it had been the Washington Post [83]. The report
From a vendor perspective, this points subjected to targeted attacks for a claimed that the designs for many of the
to the need of providing tools and period of four months. The attacks had
mechanisms that are amenable to widely been traced to Chinese hackers and been compromised by Chinese hackers.
were linked to an ongoing investigation The report claimed that the extensive
of technical skills, human resources, and at the journal that was highly critical of theft had targeted the documentation for
budget numbers. the Chinese political elite [91]. Further several missile systems, combat aircraft,
investigation of the attack methods and and ships.
objectives linked the attack to a larger While there are at the moment few
attack campaign targeting news and details regarding how the intrusion
Third, the Verizon report contains some media companies, including Bloomberg actually occurred, it appears likely that
preliminary data about the technical News, which was compromised the the attacks targeted in particular large
sophistication of attacks and, more previous year. military contractors, which are involved in
An investigation of the incident found the design and production of the military
initial compromises are carried out that the attack activity showed some systems.
of the traits typical of targeted attacks This case study is a cogent example
it is not clear if the same results hold originating from China: attackers hopped of attacks aiming at obtaining valuable
when considering only targeted attacks through com- promised accounts at intellectual property: sources from the
(rather than looking at all kinds of Washington Post claimed the stolen
attacks including opportunistic ones), identity and make investigation more designs were the result of 15 years worth
this observation does match anecdotal complex, and they were suspected of of research and development.
experience from individual attacks, using spear phishing to gain the initial
which often do not show particular access to the Times’ network.
sophistication, such as 0-day exploits or The following steps of the attack fully
reveal the targeted nature of the incident: In February 2013, the security
The lesson learned from this data point the attackers obtained the passwords for vendor Bit9 reported that it had been
could be that, while defending against every Times employees and used them compromised [67]. Bit9 produces a
sophisticated attacks is becoming to gain access to the personal computers
increasingly necessary, one cannot of 53 of them. Then, they deployed code the list of software that should be
discard traditional attack techniques. to search for and steal documents kept allowed to run in a network; anything
by reporters on the current investigation else is considered to be dangerous.
C.4 Case Studies on Chinese politicians. As a consequence of the intrusion, the
The Times article contains two pieces of attackers managed to steal the secret
In this section, we review a number of information that are useful to illustrate
cases of targeted attacks. There exist the limitations of traditional security software releases. The company also
many more accounts of attacks than we approaches that are based on the revealed that some if its customers
can report here; we decided to focus detection of the initial intrusion activity. had received malware that was digitally
on those cases that show particular The article comments that the spear
attack techniques and objectives, or phishing attack completely bypassed

University of Birmingham | CPNI.gov.uk PAGE 10

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

The Command and Control Problem

of the intrusion are not entirely clear. to respond. However, a day later, from attacks: modern businesses and
There are, however, several interesting connections to the same domain were organisations handle on a regular basis
aspects in this attack. First, attackers observed: this time, the server was
compromised Bit9 with the primary intent responding and was actually distributing
of acquiring the capability required to to attackers. It should also be noted that
successfully attack upstream targets the compromise may initiate outside of
protected by the company’s products. These events suggest that attackers run an organisation’s perimeter (and away
These are often called “supply chain from the defences that the organisation
attacks” because they target one link sectors (these could be considered has put in place), and then spread inside
of a chain that eventually leads to less targeted versions of the watering it as the infected device re-enters the
the organisation that is actually being hole attacks). Furthermore, the sudden perimeter. For example, with bring-
targeted. activation of malicious domains shows your-own-device (BYOD) policies,
that the malicious infrastructure used by organisations explicitly allow employees
Manufacturing espionage attackers (exploit sites and C2 domains) to bring on the workplace personally-
can vary quite rapidly, thus requiring its owned and managed mobile devices,
Military secrets are hardly the only ones constant and up-to-date monitoring. such as smartphones, and to use these
to be sought after by attackers. In early devices to store privileged data and to
2013, Lastline started monitoring the interact with internal systems.
network of a manufacturer active in the As a consequence, it is clear that
This case study was collected after
it determined that an internal server was the installation of Lastline product in . Ideally, the detection
infected: further investigation revealed a University environment. Here, an is performed as early as possible in
an unexpected remote connection administrative user received a malicious the life cycle of the attack, to limit the
to that server originating from China. email and clicked on link contained
Among other data, the server contained therein twice in a short span of time. The
all the designs of the manufacturer’s link caused the download of a malware stolen). Unfortunately, we have seen,
new collection, which had not yet been program. Interestingly, the binaries in particular with the Verizon data on
downloaded as a consequence of the
This episode shows that the data infections go completely unnoticed for a
targeted by sophisticated attackers is not long amount of time.
C2 detection and disruption seems
Industrial espionage, in certain an online service that scans submitted
binaries with over 40 anti-virus tools. by focusing on the C2 phase of an
governmental blessing, has targeted a This episode shows that the use of attack, one accepts that a device may
large spectrum of economic sectors [73]. evasion techniques, polymorphism in this become under control of attackers,
case, is a built-in component in many may enter organisation’s network, and
Malicious infrastructure agility attacks: all the binaries downloaded in
However, the successful detection of
C2 activity will preclude the attackers
In mid 2013, a Lastline product was
the importance of user security from performing the actual malicious,
education: users are all too often a weak damaging activity of their actions,
Lastline detected a successful drive-by-
link in the security of an organisation.
course, C2 detection should be seen
employees. The drive-by had started
as a complementary approach to the
when the employee visited a legitimate C.5 A New Focus
prevention of compromise, rather than a
web site that had been compromised;
substitution for it: completely blocking an
the web site collects information relevant There are several lessons that we can
attacker, whenever possible, is preferable
learn from the statistics on today’s
than having to deal with it after the fact.
by-download attacks were detected attacks and the case studies that we
With this approach in mind, we review
short thereafter, originating again from have presented.
in the next sections the techniques that
web sites belonging to companies and One is that
attackers use to set up C2 channels,
We have seen that
and then the approaches that have been
intrusions happen, even at security
proposed to detect and disrupt such
After one of the successful drive-by- conscious organisations which possess
download attacks, connection attempts considerable domain knowledge,
to a malicious domain were observed: expertise, and budget for security. We
the connections did not succeed have also seen that there does not really
because the destination server failed appear to be a sector that is immune

University of Birmingham | CPNI.gov.uk PAGE 11

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

C&C Techniques

As we have already discussed there is architecture such as using an IRC

a constant battle between the attackers channel. In this design, administration
(malware writers) and the defenders and management tasks are simple to block unused ports and application
(security professionals), wherein the and the architecture tolerates random protocols simply encouraged C2
losses of C2 nodes with little impact on
and block attackers, and in response legitimate services, paving the way for
the attackers come up with new, often is fragile against targeted attacks — if
novel ways of performing their C&C the defenders can identify the channel C2 channels has been observed in the
communication to evade the defenders. and attack or take down the server, they wild using comments in HTML pages or
In this section we will discuss various even actual blog posts on public forums
techniques used by the attackers, fragile architectures were accompanied
including some in-depth case studies by poor software engineering practices. through legitimate services, defenders
of actual malware that use them, and For instance, the address of this server
describe the general trends that the was often hard-coded in to the malware disabling the service, as doing so would
malware is exhibiting. and static in nature. hurt legitimate interests.
The command and control system However, the growing size of botnets, as
for most modern malware has well as the development of mechanisms Other drivers of C2 techniques have
three components. These are that detect centralised command-
controller discovery, bot-controller
communication protocol and the C&C 45,63,71,117,135], has motivated the techniques. These range from simple
topology. In the controller discovery design of decentralised peer-to-peer anomaly detection techniques to
phase, the malware attempts to identify sophisticated machine learning based
the location of the control system. The detection. In response, C2 designers
topology of the system may take many have adopted evasion techniques
forms, falling into the broad categories structured overlay networks [93,94,116].
of centralised and de-centralised. These networks are a product of
Finally, there is the actual method of
communication from the malware to embedding it within synthetic, encrypted,
the controller. These three steps are
often completely separated, and it is means a botnet herder can join and schemes only require minimal alterations
a common occurrence for malware to control at any place, simplifying ability to pre-existing architectures and can be
update one of these components while to evade discovery. The topologies adopted on a strap-on basis by other
keeping the other components constant. themselves provide low delay any-to- C2 operators. We can expect these
This section is structured as follows: any communication and low control techniques to mature quite well in the
overhead to maintain the structure. near future.
trends in malware command and control Further, structured overlay mechanisms
over the years. We will then describe the are designed to remain robust in the face An interesting development is that C2
various techniques used by malware to of churn [47, 70], an important concern designers have adopted anonymous
perform the three actions as described for botnets, where individual machines communication techniques within their
above. may be frequently disinfected or simply architectures. Initial designs used simple
anonymous proxies or stepping stones
D.1 Overview overlay networks also have protection
mechanisms against active attacks
Over the years, the architecture of the C2 endpoints. More recently, C2 designers
channel has evolved substantially, driven systematic resilience guarantees against have started abusing systems designed
by an arms race with detection-response targeted attacks on the C2 channel, for Internet privacy such as Tor, JAP,
mechanisms. The network structure yielding new forms of robustness. The and anonymiser [30, 59]. End-point
(or topology) of the C2 channel has an vast power of peer-to-peer botnets from anonymity prevents defenders from
intimate relationship with its resilience the use of resilient topologies comes at
to attack and error, as well as scalability the cost of stealth; the unique structure
to larger numbers. C2 designers desire can be also be used as a point of patterns.
scalability, robustness to take-down detection [82]. C2
techniques in the form of practical
detection. unobservable communications have
also been developed. These are
C2 communication structure
C2 evolution has also been unobservability; the strongest possible
anonymity guarantee, subsuming both
Early C2 designs followed a centralised

University of Birmingham | CPNI.gov.uk PAGE 12

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

C&C Techniques

data, back to the human controller. overlay networks ( Bittorrent, Gnutella, or

Centralised architectures are simple and Kazaa). Or, structured overlay networks
techniques are based on the use of easy to manage, and robust to the failure such as CAN, Chord, Pastry, deBruijn-
covert communication techniques. For of large numbers of malware-infected based options (Koorde, ODRI, Broose,
instance, the application of probablistic computers. In 2000, researchers [3] D2B), Kautz, Accordion, Tapestry,
information-hiding techniques such as famously showed that while centralised Bamboo, and Kademilia. We have named
image sharing behaviour on social architectures are robust to random a few but there are many other options,
networks [81]. Emerging trends include, failure, they are fragile against strategic which indicates the substantive depth of
attacks; removing the high-centrality the design possibilities.
as transient stores of C2 payloads. components of the communication We will now take look at the typical
Techniques to evade responses. The structure disables the C2. operation of the Bittorrent network. To
primary response mechanism against C2 Further, centralised C2 networks are not
channel is to isolate domain names and
IP addresses related to C2 activity. In consisting of hundreds of thousands to a list of peers that hold some or all
response, C2 architects have developed millions of malware instances requires
techniques inspired by fault-tolerance careful coordination amongst a large connects to these peers, and downloads
literature. This is characterised by number of control servers, each servicing the pieces they have. Eventually, you
the evolution of domain generation a few thousand or so malware instances.
who are involved in the “seeding”
networks which can allow large numbers
of IP addresses to be linked to a single download speed. Obviously, currently the
domain. To counter the structural weaknesses most common use for this technology
and scalability limits of centralised is in the sharing of (often copyright)
D.2 Communication structure architectures, many C2 designers are
moving to decentralised or peer-to- provide an easy method for propagating
peer (P2P) architectures for command information among a large number of
and control. The main design goals users without the use of a central server.
of these architectures are: scalability The typical situation for malware is that
Early C2 designs were based on a (nodes maintain a limited state and the malware will have a list of peers to
centralised architecture where one communication costs grow slower than which they are connected, and they
or more servers are exclusively used the number of nodes), fault tolerance will repeatedly check with these peers
to coordinate C2 communication. (requests can be routed around failed/ for new commands. The bot controller
The classic design for command and takedown nodes) and P2P nature simply has to “upload” the commands to
control in malware is to make use of an (distributed architecture with no single a single (or group of) nodes (which can
Internet Relay Chat (IRC) server. IRC was point of failure and strong availability be anywhere in the network), and the
developed in 1988, and is a protocol guarantees). command will eventually reach all nodes
used for text chat over the internet. Its In a P2P network, there is no central
primary function is to provide “channels”, control server; instead every member of has the additional advantage that there
which are chat rooms allowing for group the network acts (or can act) as a server, is no need for a link between the data
conversations (private user-to-user chat thus providing a load balancing property. and the uploader, as is the case with a
is also available but less common). Further, decentralisation ensures large centralised system.
Channels are hosted on servers, which amounts of redundancy against targeted
in turn are part of IRC networks. While attacks, consequently in comparison Case Study: Storm
most channels are publicly accessible, it
is possible to require authorisation to join
a channel. User within a channel have percentage of the nodes to completely that uses a p2p network for its command
varying levels of access (modes), which disable the C2 network.
The use of decentralised C2 networks peak in 2007, comprised of anywhere
a channel. The channel itself has modes between 1 and 50 million infected hosts.
sharing networks (used for both legal
can do, such as changing the channel and illegal means). In a P2P network, of spam emails, which contain links to
topic, and other options regarding the each member communicates to a non- either websites which take advantage
channel (such as access authentication). uniform number of other members or of browser exploits, or prompt the
All of this makes it a simple platform for ‘neighbours’. Nodes only communicate download of malicious software. One of
malware communication. It provides with their neighbours in the network,
a simple function for the attacker to is to make sure that the system clock is
deliver commands to the malware, and correct. This is vital for communication.
it’s equally simple for the malware to routing of data around the network. P2P
transmit information, such as collected networks can either be unstructured is a Kademlia based distributed hast

University of Birmingham | CPNI.gov.uk PAGE 13

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

C&C Techniques

table (DHT) based p2p network. Each bot use of steganographic communication feature of C2 channels that distinguishes
has an 128 bit DHT id, which is randomly techniques, which we will discuss this in them from other malicious activity is
generated. Routing is performed by future sections of the report. the fact that the individual malware-
There have already been numerous infested hosts communicate with
IDs to the destination, node a which examples in the wild of malware that each other. This lets them carry out
has a message for node d will forward uses social networks (or similar sites) sophisticated coordinated activities,
to the peer (neighbour) with the closes as part or all of the command and but it can also be used as a point of
control system. One (possible) botnet
uses a publish/subscribe style of that has been found is an unnamed can be used to detect communication
communication. A node publishes piece of malware that receives its patterns among bots, and how such
commands through tweets posted to
from the contents of the information. a particular Twitter account [132]. It is
Consumers can then subscribe to the unclear however if in this case this was between botnet performance, resilience,
a researcher testing a new toolkit for and stealth. is an old
Twitter command and control rather
to using the day and a random number than an actual botnet. An example are applicable. We will review these
between 0 and 31. The controller can found by Arbor Networks [85] also
demonstrates a botnet using Twitter as designers have adopted techniques to
information using them. The information part of it’s C2 channel; in this case the hide communication patterns.
twitter account posts base64 encoded is a much desired
form ”*.mpg;size=*”, where * represents URLs, which represent secondary C2 property by C2 designers. Anonymous
a 16 bit number. The malware converts servers. The same behaviour is also communications technologies study
this to an IP address and port number, found on identically named Jaiku and the design of communication channels
at which point the malware performs a
direct connection to talk to the controller that uses a malicious application on For C2 designers, the ultimate goal
directly. the Google App Engine cloud hosting is unobservable communications.
platform which also returns URLs to The property of
which the malware will then proceed to strongest form of communication
Social Networks
connect to [84].
capability that a third party cannot
malware that is using a social network distinguish between a communicating
as part of its command and control is and non-communicating entity. For
that they bring to both businesses and
Taidoor. Taidoor attacks organisations instance, by appearing indistinguishable
end users are hard to ignore. In fact,
that have links to Taiwan (hence the
Facebook, the largest social network,
now has over 1.1 billion users, and
found that the malware has been substantial amount of knowledge in the
is currently the second most visited
public domain on the topic on which C2
website (www.alexa.com) in the world.
binaries in a Yahoo blog post [129]. designers can build upon.
The sheer volume of social network
The malware is initially delivered by
email end performs an exploit against adoption of anonymous communications
information within a social network page
technology by C2 designers.
for little to no cost, has made them a
installed. This downloader connects
very attractive tool to malware creators.
to a Yahoo blog post, which contains Tor
In this case, C2 channels are built as an
seemingly random data. The data is in
overlay network over a social network,
fact the actual malware binary, contained Tor (originally TOR:The Onion Router) is
again both centralised and decentralised
between two markers and encrypted a service used to provide anonymity over
using the RC4 stream cipher, with the the internet. It is used by governments
social networks are largely based around
resulting cipher-text being base64 and the public alike (for example it is
a small number of highly well-connected
encoded. When decrypted, the data is extremely popular with whistle-blowers),
central servers, it’s not possible to simply
and even receives a large proportion of
malware then connects directly to two
popularity with legitimate users. Further,
C&C servers. Defence. The basic system works by

of nodes, and applies multiple levels of

availability and load balancing, thus encryption/decryption to mutate the
mitigating the traditional scalability limits D.3
of centralised C2 channels. They host
a rich variety of content enabling the and receiver of packets sent over the
Communication pattern analysis. A key network. This security has also made it

University of Birmingham | CPNI.gov.uk PAGE 14

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

C&C Techniques

a target for malware coders, and there mining and Bitcoin mining. When the low-latency communications but this
have been cases of malware that use malware is installed onto a machine, the
the Tor network (and some of its extra Tor client for Windows is also installed, unobservable communication methods,
features) to aid in command and control. and a Tor hidden service is set up for the which often provide a higher-latency for
To become a part of the Tor network, one machine itself. All C&C communication of communication. While this is often
simply has to install a simple piece of deemed unacceptable for the user-base
software. The machine can then act as a running locally on the machine. The of Tor like systems where usability is
replay node for others, and make use of hidden service is opened on port 55080. a factor, it is not an issue for malware
the Tor network. The primary method of C&C is an coders. The most common form of
One of the more advanced features IRC server hosted behind a Tor providing unobservable communications
of Tor is the ability to set up Hidden hidden service. The server runs at is through the use of steganography.
“uy5t7cus7dptkchs.onion” on port
behind a proxy, keeping the actual 16667. The controller issues com- mands
identity of the server hidden from those to the malware through the IRC channel. 1 http://www.reddit.com/r/IAmA/
who access it. Hidden services work These actions can include performing comments/sq7cy/iama_a_malware_
by setting up “Rendezvous” points. attacks and returning info on the host coder_ and_botnet_operator_ama/
A rendezvous point is a node on the machines.
Tor network, whicis used as the entry The malware also includes a version of
the Zeus malware family. Zeus is a very
the rendezvous point and the server common banking trojan, with a primary writing”) is the art of writing messages
is routed in the normal Tor fashion, in such a way that nobody, apart from
providing anonymity. A rendezvous point details (for example credit card numbers the sender and receiver, suspects
is access using an “.onion” link. and online banking passwords). Zeus the existence of the message.
While few examples of actual bots have provides a web- based C&C server,
which the controller has hidden behind a used for thousands of years, and has
their C&C channel, there is growing second Tor hidden service. By accessing been reinvigorated in the digital age. The
evidence that this is occurring on a large the control server, the researchers were main purpose of using steganography
is that it can make the communication
2013 the Tor network experienced a the current target websites. unobservable. There are two ways
large increase in the number of users in which steganography can be used
performs Bitcoin mining. The malware by malware to hide the command
nodes, however, only showed a minimal includes the open source “CGMiner” and control communications. The
software used for Bitcoin mining, which
connects to a number of Bitcoin mining communication protocol appear as
proxy servers. Interestingly, seven IP another, and secondly it can embed
and control server behind a Tor hidden addresses for proxy servers were found, itself within otherwise legitimate content
service. The botnet, however, shows of which two were active, but none were online, such as images.
little activity, and is believed to simply be hidden by Tor. Today most media types, including
used for installing other malware. Due to the use of Tor, it is almost text, images and video, are capable of
impossible to identify the actual location contain- ing hidden data in a number of
(and owner) of the command and ways. In the simplest cases, this can be
Case Study: Skynet
control servers. Through responses achieved by adding extra metadata to
on the Reddit post, plus the botnets
concentration in central Europe (in although this is easily discovered. The
machines) botnet based upon the Zeus
particular the Netherlands and Germany) alternative, and more advanced, method
family of malware. The interesting thing
there is a strong chance that the operator
(apart from the usage of Tor) about
is based in Germany.
IAmA (Q&A) session on Reddit 1. When
Unobservable C2 image can store the data. This will allow
a team of researchers [46] discovered
a relatively large amount of data to be
an instance of the malware, they were Communications
stored (directly corresponding to the size
able to use the information provided by
of the image), and to the untrained eye
the Reddit post, plus a small amount of Whereas systems such as Tor aim to
the image will appear to be unchanged.
reverse engineering, to provide an almost provide anonymity through unlinkability
(i.e. disguising who is talking to whom),
botnet. unobservable communication methods Unobservable C2
The malware is spread primarily through aim to hide the fact that anyone is Communications
communicating altogether. Tor, and
similar systems, are designed to provide

University of Birmingham | CPNI.gov.uk PAGE 15

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

C&C Techniques

by introducing an echo, with the amount subsequent broadcast of these images

of delay indicating the data (the delay to all of the users connections. need to be static. This property is
will be in the 10s of milliseconds so The social network that is the focus used by legitimate services through
unobservable to the untrained ear). of this paper is Facebook. The typical the use of Content Delivery Networks
There are numerous algorithms for activity of Facebook is that a user (CDNs). CDNs are used by large-scale
uploads an image through the web web services (such as Amazon and
interface, and while they are browsing Facebook) for a number of purposes, the
resistance (the classic way to remove the “news feed”, the recently uploaded primary purpose being to enable the use
image steganography, for example, is to images of their connections are of multiple servers around the world, so a
resize or slightly distort the image). downloaded to a temporary folder user can access content closest to them.
Currently, there are very few examples of on the local machine. The malware It is also useful to aid in load balancing
steganography being used by malware operates as a proxy - when an image and provides extra redundancy in case of
in the wild. It is expected, however, is uploaded data is inserted into it
that the amount of malware making before it is uploaded. The malware will contain multiple IP addresses, all
use of steganography will increase also attempts to extract data from the of which are valid. The user will then
as command and control detection temporarily downloaded images, storing connect to one of these. The returned
methods become more advanced and any recovered information. The malware IP addresses will typically have a TTL
is designed for information collection, in measured in hours or days. This is so
means. Therefore, this section will particular bank details and passwords.
mainly deal with proposed designs Commands are issued by the controller
for steganography-based malware at some point in the network (note: this caching of results cannot be performed.
command and control. can be from any of the bots with with Repeat request for the same domain
One example of real world malware equal probability), and the command from the same location will in general
using a form of steganography is the is then propagated through the use of return the same set of IP addresses,
Trojan.Downbot Trojan [137]. Trojan.
Downbotspreads through targeted the controller in the same way. CDN needs to load balance.
The system uses a steganography An variation on a CDN is a Fast-Flux
access an attacker-controlled website, algorithm that is hard to detect
for which the address is hardcoded into command and control server is hidden
the malware itself. The website is made reliable unobservability. The C2 system behind a wall of compromised machines,
to look like a code tutorial site, and to which are often part of a botnet. Each
anyone who happens to access them exclusively the normal browsing habits of these compromised hosts acts as a
legitimately the website will appear sort of “proxy” to the C&C server; each
completely harmless. If the page source on a social network of 7200 nodes, the time they receive a request for the server
is analysed, however, it can be found bot controller can receive up to 86.13MB they will forward it, and will return replies
that the source contains specially of data per month, which may seem to the original requester. Each of these
formatted and encoded comments in like a small amount, but can represent hosts will have a unique IP address,
many thousands of bank details and which can be used to access the server.
These comments and images contain passwords.
the command and control commands for 10,000 compromised machines provides
the malware, including a command for up to 10,000 IP addresses that can all
D.4 Evasion point to a single server.
combination (to upload collected data).
domain of the server is public. A host
command and control communication is DNS wishing to contact the server makes
performed over HTTP and would appear
in logs to be normal web browsing returned a set of IP addresses, and then
behaviour, and to block all HTTP is a naming system for computers connects to one of them. This sounds
on the Internet. It’s a basic piece of
legitimate users. infrastructure that translates human- is almost identical to a CDN except for a
relatable computer resource names to IP
Case Study: Stegobot addresses which can be used to route IP addresses returned will not be for
information. Attackers extensively use it the actual controller(s), rather they will
to build and operate the C2 channel. point to compromised machines within
centralised botnet with an unobservable
C2 protocol based upon steganography. DNS Fast Flux IP addresses will have a very short TTL,
The system utilises the existing user measured in minutes (rather than the
behaviour of the uploading of digital One of the major positive points for days as is the case in a CDN). A second
images to a social network, and the malware coders is that the IP addresses request will in most cases return a

University of Birmingham | CPNI.gov.uk PAGE 16

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

C&C Techniques

Case Study: Torpig

malware controller has no control over patterns for the communication to avoid Torpig is a botnet that is designed to
which of his compromised hosts are detection, for example by only creating steal personal information. In 2009, a
online so the returned IP addresses team of researchers were able to take
needs to change frequently to increase making them. control of the botnet for a period of ten
the risk that a hot is available. A second example of malware that days, in which time they were able to
document the operations of the botnet
DNS as a Medium W32.Morto worm [79]. In this case, in its entirety [114, 115]. One of the
key points of the Torpig botnet is that
return encrypted binary signatures and it makes use of a domain generation
as a communication channel rather than algorithm. Each bot independently uses
just as a way to set up the channel. One malware then downloads a binary from a DGA to generate a set of domains
example of this being used in the wild the included IP address. It is also rather based upon the current time. They then
is Feederbot [28]. Feederbot makes use peculiar in that there are no A records for attempt to connect to each of these in
turn, until one succeeds (i.e., the domain
response can be of multiple types, not that the domains are used for the sole resolves to an IP address and the server
purpose of controlling the worm. replies with a valid response). The
which as the name suggests means botmaster also computes the domains
actual text can be transmitted. Feederbot and registers them, usually with less than
honest domain registrars, before they
commands are encrypted and the One method of providing resilience to are generated, with the goal of getting
encoded into base64 (which resembles both detection and reverse engineering is at least one online. (The researchers
the use of Domain Generation Algorithms were able to take control by beating
response packet uses valid syntax, (DGAs). The function of a DGA is to the botmaster to it and registering the
allow the malware to programmatically
While Feederbot is optimised for one- generate domains for which it attempts botnet).
way command and control, in most to access a command and control server.
cases the malware will need to transmit It is then up to the attacker to ensure
information back to its controller. he controls the domains that will be
A DGA will often be reliant on factors Future: Protocol Mimicking
such as the current time or date, and the
result should be consistent across One area of research that has grown
requests. In this case, the domain name multiple hosts. The malware will recently is the area of protocol
that is being queried contains the data repeatedly run the algorithm to generate mimicking. The idea is to hide certain,
to be transmitted. The attack works as a domain and attempt to connect. The noticeable communications by making
follows. The attacker sets up a domain attacker can also run the algorithm, in
name (evil.com) and makes sure advance, and register the domains when protocol. The main area of focus on
that he has control of its authoritative they are required to use as a temporary
nameserver (nameserver.evil.com) command and control server. In many cases it can be dangerous to
for example, an infected hosts wishes to use Tor, and it exhibits very noticeable
is that they allow for a large amount of communication patterns.
back to its controller. It will simply make redundancy in the command and control There are a number of systems that
server. The controller, at any one time, is
the data to the domain (so the request short lived and so if one is taken down, a
will be for . new one will be available in little time. low-latency and high bandwidth system,
The data can be encrypted before
pre-pending to prevent the contents will generate 250 domain names every
three hours, based upon the current
request reaches the attacker controlled UTC date [94], The same domains are
nameserver (nameserver.evil.com), the generated every three hours (8 times client on a high numbered UDP port, and
per day). The malware will do an lookup
The attacker can also send commands on every generated domain, and will the bridge containing its IP, UDP port and
back to the malware in the response, attempt to contact every domain that public key. The bridge replies with the
either by using the method of Feederbot, has an assigned IP address to download same information. The client then starts
binaries. a video call to the bridge, which it does
responses to indicate a particular task not answer. Instead, the call is dropped
to be performed. A similar approach and instead the encrypted data is sent

University of Birmingham | CPNI.gov.uk PAGE 17

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

C&C Techniques

over UDP between the ports opened for networks is starting to adopt this is to make use of the microphones and
speakers found in most laptops in order
to transmit data between machines
bridge. details an targeted attack against a using inaudible frequencies. Using this
major internet hosting provider in which channel, a data rate of approximately
malware was installed on linux servers 20bit/s up to a range of 19.7m can be
which opened a backdoor. The backdoor achieved. By extending the system into a
operated as a network monitor which mesh network, multi-hop communication
can be achieved. While 20bits/s seems

contain simulated headers that match monitor looked for a certain sequence of transmit small amounts of data such as
passwords, banking details or memory
also uses a similar approach with HTTP seen, the malware extracted encrypted dumps.
by generating fake HTTP requests and encoded data which followed.
from clients, and fake HTTP responses The data could be embedded in any D.5 Future Trends
from the server to transmit data (which
appear as normal HTTP browsing). The detect. As malware writers attempt to make their
HTTP requests are replays based upon malware more resilient to take-down
previously collected traces, with header Future: Namecoin attempts and detection, there are a
information replaced with the data to be number of trends that we can expect in
transmitted. The same approach is used Another further development that is the near future.
for the responses from the server, except beginning to appear in the wild is the First, the use of decentralised malware
the data is hidden within the returned use of the Namecoin service. Namecoin will increase. This will be both down to
is related to Bitcoin, and provides a the additional redundancy provided by
decentralised method to register and a decentralised network, and also the
control domain names. Domains that scalability provided by such systems,
belong to the Namecoin service use the as it is also expected that botnets will
designed for obfuscated web “.bit” top-level domain. The advantage continue to increase in size. We expect
browsing, decouples the upstream and to a malicious user is that is provides that the malware designers will start to
downstream channels. HTTP requests the means to anonymously purchase
are sent to the server over a low capacity a domain outside the control of any
channel such as email or instant international body. McCardle et al [75]
messaging. The server responds to the have found malware that is using this will also increase. As it is harder to avoid
client by mimicking UDP-based VoIP service in the wild, and it is expected that detection, and it is getting easier for
ti will become more widespread. authorities to locate malware operators,
the operators will increasingly want to
based VoIP.
All three of these approaches were
deemed broken by Houmansadr et al. become more widespread.
[53], who proved that all three systems It is also expected that attacker will
Finally, although in the wild it is currently
are detectable due to their lack of make use of further unusual channels for
complete protocol emulation. All three command and control in order to evade
is a high probability that techniques
systems do not fully emulate all aspects controls. A common control is to provide
involving steganography will become
(for example, error handling) of the more widespread. This will allow the
protocol that they are attempting to hide machine is physically disconnected from
malware to use legitimate services to
as, allowing for detection by comparing any other machine, including the internet.
transmit information, i.e. by hiding in
In the perfect situation, this would be
plain sight. This will vastly reduce the
While this has debunked these three a laptop disconnected from the power
systems, there is ongoing work to make supply (data can be transmitted through
systems like these less detectable. Even power cabling, a method that is used
though this approach has not been seen in the consumer “Powerline” network
in malware yet, it is fully expected that adapters). Recently, however, Hanspach
malware will start to take this approach and Goetz [49] have proposed a design
in the near future. At the simplest level, for malware that can operate even in the
malware that makes use of social face of an air gap. The proposed channel

University of Birmingham | CPNI.gov.uk PAGE 18

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

C&C Detection

Given the range of C2 design techniques, traces go unrecorded, then detection techniques can support the creation
there is much interest in the design of systems cannot work. of arbitrary sub-aggregates to support
techniques to localise C2 communication Current measurement techniques have detection techniques that need not be
addressed scalability limitations of data
Detection techniques can be used to collection by developing measurement place.
architectures for aggregation and The challenge is to achieve the following
large scale networks to engage with sampling. However they do so requirements: 1. Fairness: yield accurate
malicious network activity. In recent without addressing evasion resilience
years, a number of new techniques have requirements. Also, little attention has
been paid to measurement control
data in order to support correlation and mechanisms — tuning measurement in samples to be gathered from data
response to C2 evasion.
of machine learning, semantic analysis, Timeliness: provide samples in a timely
E.2 Scalable measurement manner to detection mechanisms.
C&C detection falls broadly into two Fairness is an important criteria. If
categories: signature-based and non- the fairness guarantees are weak or
signature based. In signature-based non-existent, then the adversary can
detection, the detection algorithms are feature or the sFlow feature. Alternatively, exploit weaknesses in the sampling
designed to look for known patterns standalone measurement devices [25]
of behaviour collected from malware evading the monitoring system, as a
samples (or “signatures”). These devices or splitters (optical or electrical) consequence detection would fail.
algorithms are often good at detecting In the rest of this section section, we will
the C&C of particular malware, but not
so good at detecting new malware. to collectors which store the traces. collection that are used by the detection
Host-based anti virus systems usually fall Enterprise networks carrying a few methods discussed later.
into this category. Non-signature based tens of terabytes a day, resulting in
algorithms instead look for anomalies NetFlow
compared to the norm. They are often currently manageable as all records can
much more adaptable to new variants be collected. However, the growth in NetFlow is a network protocol for
of malware, but may not perform as network speeds might change this in the
well against known malware. Further future. Additionally, C2 designers can Developed by Cisco, NetFlow is used
attack the measurement system to evade

approaches for detection. These are

infected hosts, command servers and defenders would thus be forced to due to its low overhead but high level of
the communication protocol. detail.
There are two primary measures of
the success of a C&C detection, true could be impossible under conditions of
positive rate(TP) and false positive rate represent a unidirectional sequence
(FP). The true positive rate measures the of packets between a single source-
percentage of malicious samples that are destination pair. As an example, NetFlow
labelled correctly as malware, while the carries several tens petabytes of user data could consist of the following:
false positive rate measures the number
of legitimate samples that are incorrectly
labelled as malware. low storage and transmission costs, Destination IP

E.1 Measurement and Data Destination Port

Collection Protocol (e.g. TCP, UDP)
data is outright impossible.
When detecting malware C&C, the
presents a challenge which requires features that can also be stored,
selection of which data to collect and
collectors to summarise trace data. This including timestamps, byte count, and
analyse is extremely important. For
can be done either via summarisation headers. One of the key points, however,
example, varying detection methods
techniques or via sampling techniques. is that the actual payload data is not
Unlike high-level summaries produced stored. This is due to the fact that the
data. As networks scale, it will get
by summarisation techniques, sampling storage requirements would increase
dramatically if all data is stored as well (if
— a requirement of most enterprise C2
traces that are representative of you imagine a 1Gbps router logging for
just 1 day would create 7.2Tb of data to

University of Birmingham | CPNI.gov.uk PAGE 19

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

C&C Detection (E)

store and process!). to gain a much bigger picture of the will generate multiple signatures as
the conditions on a host machine can
Honeynets/Malware Traps situations.
and control activity. Conversely, a
signature may represent multiple pieces
Honeynets and malware traps are
Reverse Engineering of malware that exhibit very similar
essentially bait and traps for malware in
the wild. A honeynet is typically made
up of a number of honeypot nodes, Perhaps the most labour intensive,
which are machines that run vulnerable reverse engineering is probably the Communication Detection
(un-patched) software with a goal of most useful tool in learning about
becoming infected with malware. The the command and control systems As we have seen, many malware variants
infected machines can then be used to of malware. Many of the examples have very particular protocols when it
of command and control systems comes to communication. These are
or human means. This data is one if discussed in the previous section
the primary sources of signatures for were discovered through reverse
signature-based detection methods. engineering. To reverse engineer the behaviour of the communications.
Honeynet nodes do not have to be a malware, the researcher will analyse the This makes signature based detection
single machine. It is possible, through actual malware binary, and attempt to methods very good for detecting known
the use of virtual machines, to run recover the source code. This can give
large volumes of honeynet nodes on a valuable insights into the operation of pieces of malware may also be based
relatively small amount of hardware. It is the malware, and can even give vital upon a common component, meaning
important to note that often the malware information such as hardcoded C&C that a single signature can be used to
will be prevented from performing illegal server addresses and encryption keys. detect multiple pieces of similar malware.
The main issue is that it can take a very One possibility for this kind of detection
the researchers control. long time to completely reverse engineer is to produce signatures based upon
Honeypot techniques have been widely a piece of malware (and in some cases the contents of packets. It is often the
used by researchers. Cooke et al. [22] it may not be possible at all), and it is case that packets of data involved in the
conducted several studies of botnet C&C of malware will be almost identical
propagation and dynamics using automate. across multiple hosts. Even though
Honeypots; Barford and Yegneswaran some malware familes use encryption in
[9] collected bot samples and carried their communications, that encryption is
out a detailed study on the source code usually a simple, lightweight algorithm
(as the encryption is often for obscurity
In signature-based detection methods, rather than security), so their are
al. [38] and Rajab et al. [99] carried out
malware C&C is detected by looking
measurement studies using Honeypots.
for known patterns of behaviour, or For example, in the work of Rieck et al
Collins et al. [21] present a novel botnet
detection approach based on the [103], in which n-gram based signatures
for known malware samples, and are generated for the payloads of
tendency of unclean networks to contain
compromised hosts for extended periods malware that is run under controlled
of time and hence acting as a natural
Honeypot for various botnets. However
Honeypot-based approaches are limited with this method the system can achieve
by their ability to attract botnets that detection rates of close to 95%, with a
depend on human action for an infection false positive rate of close to zero when
various sources. The main sources are running on a network gateway.
to take place, an increasingly popular
honeynets and sandboxes. Malware Encryption can make the detection of
aspect of the attack vector [80].
is run in controlled conditions, and its
activity logged. What is logged depends especially if the system uses widespread
Sandboxes on the detection algorithm being used, protocols such as HTTP. One approach
but almost every aspect of the malware’s is then to attempt to decrypt all packets
A slight variant on a honeynet is a behaviour can be included in a signature. and then perform signature detection on
malware sandbox. In this instance,
the decrypted contents, as is done by
malware is directly installed on a signatures upon the payload data of Rossow et al [104]. They take advantage
machine and the activities analysed. packets, while others can cover entire of the fact that in many cases the
encryption used is very simple, and often
however, is that the owner will also is also not the case that one piece of the key for encryption is hardcoded
interact with the malware (for example, malware will be represented by a single into the malware binary. They keys are
by mimicking command and control signature, and vice versa. It is often fetched by reverse engineering, and
servers). This allows the researcher the case that a single malware sample then the payloads can be decrypted,

University of Birmingham | CPNI.gov.uk PAGE 20

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

C&C Detection

ans signature-based detection applied. Server Detection related to malicious activities [6]. In
The obvious down- side to this method this system (Notos), domains are
is that it requires the labour intensive clustered in two ways. First, they are
reverse engineeing step. system for identifying malicious domains clustered according to the IP addresses

proposed a system for large-scale by creating network traces from known are clustered according to similarities
automatic signature generation. The malware samples to create signatures, in the syntactic structure of the domain
system uses network traces collected that can then be compared with network names themselves. These clusters
from sandboxes and produces
signatures for groups of similar malware, based upon the domain names, but based upon a collection of whitelists
covering numerous protocols. This also the full HTTP requests associated and blacklists: domains in a cluster that
system is able to identify numerous with them. How this system is unique, contains blacklist domains are likely to
malware example with a high rate, and however, is that the signatures are be malicious themselves. This system
experiences a low false positive rate tailored to the network that they will be
used on based upon the background achieve a true positive rate of 96% and
generated. The signatures are designed an low false positive rate. In a further
to be exported to intrusion detection useful at reducing the level of false piece of work from the same authors as
positives by exploiting the fact that Notos, the idea is vastly expanded to
browsing behaviour (for example a car hierarchy. In this new system (Kopis) [7],
Spam Detection manufacturer is unlikely to visit the same
websites as a hospital). at the domains’ IP and name, looks at
There have also been attempts at
They leverage the fact that malware-
performing spam detection based E.4 Non-Signature Based
related domains are likely to have an
upon the method that the spam email
inconsistent, varied pool of requesting
was sent, which is quite often through
hosts, compared to a legitimate domain
The main disadvantage of using a which will be much more consistent.
signature based detection method They also look at the locations of the
mail clients, including malware, introduce
is that these detection systems are requesters: requesters inside large
networks are given higher weighting as
protocol. They use this to produce
new, or updated, malware. Every time a large network is more likely to contain
“dialects”, which are signatures for
a new piece of malware is discovered, infected machines. When tested, this
each mail client that can represent
or an exiting piece updates itself, the system was actually able to identify a
these variations. Dialects are collected
signatures have to be recreated. If the new botnet based in China, which was
for known sources of spam, including
new variant is not discovered, then it is later removed from the internet.
malware, and also for legitimate mail
unlikely to be detected by these systems.
services. It is then a simple case of
This is where non-signature based malware controllers that we have not yet
matching incoming emails to a dialect to
detection comes in. In these systems,
make the decision of if the email is spam.
the algorithms look for behaviour that
In a further piece of work from the same
is not expected, rather than looking for
particular known behaviour, or looking for
will often query these blacklists for IPs
use of signatures. under their control to test their own
to their content, and then measures the
networks [101]. The behaviour of a
source and destination IP addresses
to match clusters to known botnets. Server Detection: DNS
This allows for both the enumeration of
known botnets, and the discovery of new There has been a large amount of work
ones. It is of course the case that many that attempts to provide a detection
mechanism that can identify domains on behalf of the controller will perform
spam campaigns could originate from
lots of queries, but will not be queried
the same botnet, so clusters that share
itself, while a legitimate service will
source IPs are liked to the same botnet.
large amount of malware that makes use receive incoming queries. This behaviour
It also is observed that a particular
of a centralised command and control is relatively easy to detect by simply
botnet will often target a particular set
structure. looking for queries that exhibit this
of destinations, such as one particular
One proposed detection method behaviour.
country, which is used to add precision.
is to make use of the reputation of Paxson et al [89] attempt to provide a
domain names to decide if they are detection mechanism that leverages
the amount of information transmitted

University of Birmingham | CPNI.gov.uk PAGE 21

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

C&C Detection

of outward C&C communication or

propagation. The second is that it has
that meet this criteria will indicate a at least two distinct signs of outward
bot coordination or attack propagation.
for inspection. The upper bound can manually for individual suspect domains This system can achieve 95% detection
rates, and low false positive rates. The
this has an impact the amount of data This will give two pieces of information. downside, however, is that as it is heavily
The main result is that domains can be reliant on detecting the behaviour of
occur. The system looks primarily at data existing botnets it can be evaded by
included within domain names, but also slowing down the infection process to
the returned IP addresses will be those fall outside the time limits. BotHunter is
of likely compromised machines, which available as an open source product.
are quite possibly part of a botnet. The BotHunter authors produced a
This list can be compared with internal further system, BotMiner [43], that
patterns. Dagon et al. [26] studied the networks to identify and mitigate detects infected hosts without previous
propagation rates of malware released compromised machines, and also knowledge of botnets. In this system,
enumerate the botnet.
It is also possible to automatically that exhibit similar communication
detect which domains belong to the and (possible) malicious activities. The
new deployments of a known botnet. clustering allows hosts to be groups
However, this approach requires a priori [90] applies clustering to domains so according to the botnet that they belong
knowledge of botnet domain names they are grouped according to overlap to as hosts within the same botnet will
in the returned IP addresses. By then have similar communication patterns,
and hence does not target scaling to comparing the clusters to previously and will usually perfrom the same
networks where a botnet can simply activities at the same time (such as a
change domain names, have a large
pool of C&C IP addresses and change that make use of the same network. Finally, there are also schemes that
the domain name generation algorithm combine network and host-based
Host Detection
blacklists and phishing blacklists [110], [112] attempts to discriminate between
An interesting system for host detection locally-initiated versus remotely-
is BotHunter [44]. BotHunter is a system initiated actions by tracking data
the agility of the attackers. Much more for identifying compromised hosts arriving over the network being used
recently, Villamar et al. [128] applied based upon the actions they perform, as system call arguments using taint
Bayesian methods to isolate centralised tracking methods. Following a similar
and initial connection to a command approach, Gummadi et al. [48] whitelist
blacklists, based on the similarity of their and control server. There are 5 steps
to this patter: inbound scan, inbound
exploit, binary download, outbound a host which allows an application
C&C communication and outbound server to selectively respond to service
Fast Flux infection scanning (for propagation). requests. Finally, John et al. [61] present
a technique to defend against spam
an good generalisation of the typical botnets by automating the generation
the command and control server is infection model for a botnet (although of spam feeds by directing an incoming
hidden behind a proxy of numerous some botnets will obviously leave out or spam feed into a Honeynet, then
add extra steps). The system works by downloading bots spreading through
queries on the domain of the server will those messages and then using the
return a large, and constantly changing, of request packets. These are used to outbound spam generated to create a
set of IP addresses. As you may expect, identify hosts performing the 5 steps, better feed.
this type of behaviour is relatively easy to and if a host is found to perform certain
detect. combinations of these within a time
As we discussed, there are some
bot. The timer is used as legitimate
services may give the appearance of have previously applied graph analysis
performing one of these steps. There to detect botnets. The technique of
is a simple process, due to the two are two conditions for a host to be Collins and Reiter [20] detects anomalies

that it has been the victim of an inbound

exploit, and has at least one occurrence suggest that a botnet can be detected

University of Birmingham | CPNI.gov.uk PAGE 22

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

C&C Detection

based on the observation that an BotMiner [43] and TAMD [135] using detection, bots can also use a variety of
attacker will increase the number of behaviour based clustering are better VM (Virtual Machine) based techniques
connected graph components due to for extra stealth, such as installing
a sudden growth of edges between information which can have legal and virtual machines underneath the existing
unlikely neighbouring nodes. While it privacy implications. It is also important operating system [65] to prevent access
depends on being able to accurately to think about possible defences that from software running on the target
model valid network growth, this is a botmasters can apply, the cost of these system and being able to identify a
powerful approach because it avoids virtual analysis environment including
depending on protocol semantics or VMs and Honeypots [36]. Graph analysis
packet statistics. However this work only Nicol [87, 107] describe schemes to techniques have also been used in
makes minimal use of spatial relationship mask the statistical characteristics of host-based approaches. BLINC [62] is
information. Additionally, the need
for historical record keeping makes it
challenging in scenarios where the victim of such schemes will only require
network is already infected when it seeks minimal alterations to existing botnet of analyzing the “IP social-network”
of a machine. Graph analysis has also
while our scheme can be used to detect against detection schemes that depend been applied to automated malware
pre-existing botnets as well. Illiofotou on packet level statistics including
et al. [56,57] also exploit dynamicity of BotMiner and TAMD. graphs [54].
One of the areas that is most important
in order to detect P2P networks. It uses E.5 Host Detection to organisations is to identify hosts that
static (spatial) and dynamic (temporal) are infected malware so appropriate
metrics centred on node and edge An initial defence against botnets is to actions can be taken. It is important to
level metrics in addition to the largest- prevent systems from being infected note here that we are only interested in
connected-component-size as a graph host detection through the command
level metric. Our scheme however and control actions of the malware, NOT
systems, and vulnerability patches help, the actual infection of the malware itself
for expanders) and uses the full extent but completely preventing infection is through binary detection (as is covered
of spatial relationships to discover by anti-virus software).
P2P graphs including the joint degree encryption [136] and polymorphism [123]
distribution and the joint-joint degree among other obfuscation techniques
distribution and so on. [123] to thwart static analysis based
Of the many botnet detection and approaches used by anti-virus software.
mitigation techniques mentioned above, In response, dynamic analysis (see
most are rather and only apply Vasudevan et al. [126] and references
therein) overcomes obfuscations that
botnets such as IRC/HTTP/FTP botnets, prevent static analysis. Malware authors
although studies [42] indicate that the have countered this by employing trigger
centralised model is giving way to the based behaviour such as bot command
P2P model. Of the techniques that inputs and logic bombs which exploit
do address P2P botnets, detection is analyzer limitations of only observing a
single execution path. These limitations
are overcome by analyzing multiple
of certain types of botnets, reverse execution paths [14, 78], but bots may in
engineering botnet protocols and so on, turn counter this using schemes relying
which limits the applicability of these on the principles of secure triggers
techniques. Generic schemes such as [39, 109]. In order to remain invisible to

University of Birmingham | CPNI.gov.uk PAGE 23

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

Controls for C&C

Over the years, a number of security Detecting anomalies in network

standards, recommendations, and Deploying data loss prevention
best practices have been proposed look for anomalies in the network (DLP) tools at the perimeter, to
to address security risks. In particular, identify sensitive data leaving the
of malware activity (such as C2 organisation premises. These tools
publishes and manages the “Critical communications) or of compromised
machines. or data formats that are associated
v4.1” [23], a list of key actions that with sensitive data.
organisations should take to detect, reputation checks. The control Detecting the unauthorised use of
block, or mitigate attacks. The controls
are informed from experience with actual for attempts to resolve known rationale here is that malware may
attacks, as provided by a broad range of malicious domains or attempts
contributors to the list, and are designed to contact domains with poor data bypassing tools (such as DLPs)
so that they can be implemented, reputation.
enforced and monitored largely in an content.
automated fashion. These controls Critical Control 13: Boundary Defence
are recommended by UK Government
for improving cyber defences in all Control 13 is concerned with detecting
organisations. patterns.
Hereinafter, we will review the Controls in organisation boundaries that may violate
the context of detecting and disrupting the organisation’s security policies. F.2 Controls for C2 Disruption
C2 activity. We will base our review on
version 4.1 of the Controls, the latest identify signs of attacks and evidence of Critical Control 19: Secure Network
available at the time of writing. More compromise. Engineering
precisely, we will highlight the controls The practical actions that this control
that appear suited at defending against recommends include: Control 19 prescribes a set of actions
to broadly create an infrastructure that
and on their practical applicability on the Using blacklists to deny can withstand attacks. In particular, the
basis of the C2 techniques that we have communication from internal following actions are relevant to the task
discussed so far. machines toward known malicious of disrupting C2 activity:
F.1 Controls for C2 Detection
logs analytics systems for further to trust zones. This activity
Critical Control 5: Malware Defences analysis and inspection.
possible to clearly separate high-
Control 5 is a very broad control that risk components of the network
encompasses processes and tools for infection. (e.g., parts that are particularly
detecting, preventing, or correcting exposed to attacks) from high-value
the installation and execution of data to identify anomalous activity. components (e.g., those that store
malicious software on all devices of an sensitive data).
organisation. Designing an infrastructure that
“choke point” and so that it can be allows the rapid deployment of new
related to the prevention of infections segmented to prevent and contain access controls, rules, signatures,
(e.g., keeping systems and defence infections. etc. This is especially important to
tools up to date, disabling auto-run
mechanisms and preforming automatic Critical Control 17: Data Loss we have discussed: for example, to
scans of removable media, emails, and Prevention deploy new blacklists that have been
web pages, deploying anti-exploitation available or to update the signatures
The goal of control 17 is to track, control, of indicators of compromise used in
prevent, and correct data transmissions network-based monitors.
C2 activity: and storage that violate an organisation’s Ensure that clients query internal

Monitoring all inbound and monitored and whose replies can

targeted attacks, the recommendations be manipulated to, for example,
of this control are clearly relevant in the prevent access to known malicious
suggests to watch large transfers of context of C2 activity. or unauthorised domains.
A number of actions described as part

phase of an attack. detect and mitigate C2 channels:

University of Birmingham | CPNI.gov.uk PAGE 24

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

Controls for C&C

F.3 broad, encompassing a wide variety used in attacks. The rationale is

of technologies and approaches. For that access to these endpoints
The Critical Control list includes a few example, the activities listed in Control can be prevented, assuming that
other controls that are not immediately 5 encompass whole sectors of the appropriate mechanisms are in
related to the detection or disruption of information security industry, ranging
C2 activity, but that are often associated from anti-virus technologies, intrusion here is of course that of creating
to the defence against targeted attacks. detection systems, reputation systems, and maintaining up-to-date lists
More precisely, and anomaly detection. This is not a
problem per se: the use of orthogonal approaches to create and evaluate
recommends training mechanisms (“defence in depth”) has such lists have been proposed
employees and organisation members long been considered good practice. both in the academia and in the
to be aware of attacks. Intuitively better However, extracting techniques that are commercial sector [32, 58, 68, 95,
awareness can help avoiding human 113, 124].
among the full list of controls may Identify and inspect anomalies in
security training in general is debated become daunting.
[108], and the characteristics of targeted is that targeted attacks rely on
attacks may make training even less for C2 detection are scattered through infrastructure that is less likely to be
several controls, which makes it more included in generally- available lists
of malicious endpoints or to use C2
studies describing training programs ensure that all relevant controls have techniques (e.g., protocols) that are
been implemented or considered. used also by general malware. Then,
attacks in mind have been described in Finally, the Controls document provides focusing on detecting anomalous
the literature [111]. little discussion of the limitations inherent
in the controls it proposes. While the catch these novel threats. There are
indicates a list of metric and test sections in each control two assumptions underlying this
actions for responding to incidents. provide a discussion of how to measure recommendation: targeted attacks

deal with the detection of C2 activity may be easy for a reader to focus on the
is necessary to avoid or minimise defensive mechanisms rather than on the of compromise. Both assumptions
the damages of an attack or ongoing results that they provide. may need to be re-evaluated from
infection. time to time: we have seen that
Finally, Generalization of controls for C2 attackers are devising new methods
should detection and disruption
also be taken in account in the context
of C2 activity as a way to test the From our discussion of C2 techniques a network may change as new
and defences, it is evident that most services and devices are introduced.
used within an organisation. In particular, approaches to the detection of C2
such security exercises should test
whether attempts to set up C2 channels, and applying some form of detection
using both known and new techniques for this recommendation is that it
or variations on existing techniques, include activities that lead organisations may be easier to collect such data,
would be detected by the other controls toward this approach to security; here, rather than setting up a full network
employed by the organisation. we will generalise and comment on these monitoring system. As we have seen
recommendations: from our literature review, several
approaches have been devised to
F.4 Discussion
Monitor all inbound and outbound
Architect the network in such a way
attacks that may lead to an infection,
Our review of the Critical Controls shows
for ex- ample, drive-by-download or and the activation of responses to
that while they do include sensible
spear phishing attacks. Outbound attacks. For example, by having a
advice on defending against C2 activity,
they also have some limitations that
for indications that a C2 channel has passes through, an organisation
can simplify the full collection of
the most part, these limitations seem a
Command & Control check-in, etc.)
consequence of the general nature of
Monitor network activity to identify example, network segmentation
the 20 Critical Controls, which are not
connection attempts to known- can help keeping separated
bad end points, i.e., IPs and
First, controls are often extremely
domains that are known to be (e.g., networks hosting front- facing

University of Birmingham | CPNI.gov.uk PAGE 25

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014

Controls for C&C

servers vs. those hosting internal domain names) in multiple attacks. studies.
services). In addition, the use of rate To work around anomaly detection An approach that we have seen applied
limiting techniques may slow down approaches, attackers may make their successfully to the introduction of
new controls for C2 activity could be
data and increase the window of summarised as “start small, measure,
time in which a detection can occur. and scale up”. An organisation does
Practical matters not need to apply a control throughout
Risks its entire infrastructure ( ): for
We will conclude our review of security example, it could choose to initially
There are several factors that may limit controls with a discussion of some protect a subset of users, such as
non technical issues that may face an a high-risk group, or a group that is
are always looking for ways to “remain adopter of the controls. For example, tolerant to initial experimentation with
under the radar” and avoid detection. potentially higher than normal false

content analysis techniques, they may apply a control in its entirety. In addition,
use encrypted communication protocols, implementing a control may require
changes to or collaboration from a performance requirements and still a
multitude of departments or groups good potential of leading to the detection
a network. To thwart controls that call inside organisation. For example, of C2 channel activity. After the initial,
limited implementation of a control,
that the security group interacts with the
of known malicious entities, attackers networking group. It would be helpful ( ). If successful, the control
refrain from re-using artefacts (such to have some guidance on addressing could be extended to larger portions of
as actual attack vectors, servers, and such issues, perhaps in the form of case the organisation ( ).

University of Birmingham | CPNI.gov.uk PAGE 26

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014


[1] At&t global networking facts. http:www.corp.att.com/gov/about_


CompatibilityisNotTrans- parency: VMM Detection Myths and
Realities. In



, 2012.


[6] M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster.

Building a dynamic reputation system for dns. In
, 2010.

[7] M. Antonakakis, R. Perdisci, W. Lee, N. Vasiloglou, and D. Dagon.

, 2011.

[8] D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G.


[9] P. Barford and V. Yegneswaran. , volume

27 of

[10] A. Barsamian. Network characterization for botnet detection using

[11] L. Bilge and T. Dumitras. Before We Knew It: An Empirical

detection. In

University of Birmingham | CPNI.gov.uk PAGE 27

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014


[13] J. Brenner.
. The Penguin Press HC,

Yin. Au- tomatically identifying trigger-based behavior in malware. In

[15] http://www.leginfo.
ca.gov/pub/01-02/bill/asm/ab_0651-0700/ab_700_bill_ 20020929_


, dec 2002.

[17] http://www.cisco.com/

[18] R. Clarke.
Ecco, 2010.

http://computer-forensics.sans.org/blog/2009/10/14/ security-
intelligence-attacking-the-kill-chain, 2009.

[20] M. P. Collins and M. K. Reiter. Hit-list worm detection and bot

, 2007.


addresses. In

[22] E. Cooke and F. Jahanian. The zombie roundup: Understanding,

detecting, and disrupting botnets. In
, 2005.



[24] M. Cova, C. Kruegel, and G. Vigna. There Is No Free Phish: An

Analysis of “Free” and Live Phishing Kits. In Proc.
, 2008.

University of Birmingham | CPNI.gov.uk PAGE 28

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014


Gigascope: a stream database for network applications. In

[26] D. Dagon, C. Zou, and W. Lee. Modeling botnet propagation using

time zones. In ,


http://blog.cj2s.de/archives/28-Feederbot-a-bot- using-DNS-as-
carrier-for-its-CC.html, 2011.

[29] R. Dingledine. Many more Tor users in the past week? https: //
lists.torproject.org/pipermail/tor-talk/2013- August/029582.html,

generation onion router. In
, Aug. 2004.

Dynamic Malware Analysis Techniques and Tools.
, 44(2), 2012.

[32] M.Felegyhazi,C.Kreibich,andV.Paxson.
OnthePotentialofProactiveDomain Blacklisting. 2010.

[33] P. Ferrie. Attacks on More Virtual Machine Emulators. Technical

[34] P. Ferrie. Attacks on Virtual Machines. In

, 2007.

[35] M. Fossi, E. Johnson, D. Turner, T. Mack, J. Blackbird, D.

McKinney, M. K. Low, T. Adams, M. P. Laucht, and J. Gough.

University of Birmingham | CPNI.gov.uk PAGE 29

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014


van Doorn. Towards sound detection of virtual machines. In
. 2008.

the Nature and Causes of the Wealth of Internet Miscreants. In Proc.
of the

[38] F. C. Freiling, T. Hoz, and G. Wichereski. Botnet tracking:

Exploring a root- cause methodology to prevent distributed denial-of-
service attacks. In
, 2005.

Foundations and applications for secure triggers. ACM Trans. Inf.

[40] J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by

IRC nickname evaluation. In , Apr.

[41] C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich,

K. Levchenko, P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis,
N. Provos, M. Z. Raque, M. A. Rajab, C. Rossow, K. Thomas, V.

Peer-to-peer botnets: Overview and case study. In Hot
, Apr. 2007.

[43] G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering

Botnet Detection. , 2008.

[44] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee.

Correlation. In , 2007.



University of Birmingham | CPNI.gov.uk PAGE 30

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014


2012/12/06/skynet-a-tor-powered-botnet-straight- from-reddit,


resilience and proximity. In ,

Aug. 2003.


In , Boston, MA, April 2009.

[49] M. Hanspach and M. Goetz. On covert acoustical mesh networks

in air.

[50] T. Holz, M. Engelberth, and F. Freiling. Learning More About the

, 2009.

[51] T. Holz, C. Gorecki, K. Rieck, and F. Freiling. Measuring and

), 2008.

[52] C. Hosmer. Polymorphic & Metamorphic Malware. In

, 2008.

is dead: Observ- ing unobservable network communications. In

indexing using function-call graphs. In Proceedings of the 16th ACM

[55] E. M. Hutchins, M. J. Clopperty, and R. M. Amin. Intelligence-

Driven Computer Network Defense Informed by Analysis of Adversary
Campaigns and Intrusion Kill Chains. Technical report, Lockheed
Martin Corporation, 2010.

[56] M. Iliofotou, M. Faloutsos, and M. Mitzenmacher. Exploiting

applications. In CoNext, 2009.

[57] M. Iliofotou, P. Pappu, M. Faloutsos, M. Mitzenmacher, G.

University of Birmingham | CPNI.gov.uk PAGE 31

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014


Varghese, and H. Kim. Graption: Automated detection of P2P


Web Pages. In ,

[59] JAP. Jap anon proxy. http://anon.inf.tu-dresden.de/


[60] M. Jelasity and V. Bilicki. Towards automated detection of peer-to-

peer botnets: On the limits of local approaches. In
(LEET), 2009.



[62] T. Karagiannis, K. Papagiannaki, and M. Faloutsos. BLINC:

, 2005.

detection and characterization. In
, Apr. 2007.

[64] Kaspersky. Ask An Expert: The Brainstorming. http://blog.

kaspersky.com/ask-an-expert-the-brainstorming/, 2013.


[66] C. Kolbitsch, E. Kirda, and C. Kruegel. The Power of

Malicious Code. In Proc.

, February 13 2013.

Blacklists. ,
35(1), 2012.

University of Birmingham | CPNI.gov.uk PAGE 32

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014


[69] R. Langner. To Kill a Centrifuge: A Technical Analysis of What

Group, Nov. 2013.

analysis of structured peer-to-peer systems: Routing distances and
fault resilience. In , Aug. 2003.

[71] W. Lu, M. Tavallaee, and A. A. Ghorbani. Automatic discovery

of botnet communities on large-scale communication networks. In

[72] Mandiant. 2013 Threat Report. https://www.mandiant.com/

resources/m-trends, 2013.

[73] Mandiant. APT1: Exposing One of Chinas Cyber Espionage Units.

Technical report, 2013.

[74] L. Martignoni, R. Paleari, G. F. Roglia, and D. Bruschi. Testing CPU

Emulators. In

[75] R. McCardle. A .bit odd. http://blog.trendmicro.com/ trendlabs-

security-intelligence/a-bit-odd/, 2013.


[77] H. Mohajeri Moghaddam, B. Li, M. Derakhshani, and I. Goldberg.


[78] A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution

Paths for Malware Analysis. In Proc.
, 2007.

[79] http://www.
symantec. com/connect/blogs/morto-worm-sets-dns-record,

malwaresurveillance of the tibetan movement. Technical Report
UCAM-CL-TR-746, University of Cambridge, March 2009.


University of Birmingham | CPNI.gov.uk PAGE 33

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014


BotGrep: Finding P2P bots with structured graph analysis. In

designs compromised by Chinese cyberspies. ,
May 27 2013.

[84] J. Nazario. Malicious Google AppEngine Used as a CnC. http:

//www.arbornetworks.com/asert/2009/11/malicious- google-
appengine-used-as-a-cnc/, 2009.

[85] J. Nazario. Twitter-based Botnet Command Channel. http: //

www.arbornetworks.com/asert/2009/08/twitter-based- botnet-
command-channel/, 2009.

New C&C Do- mains in Live Networks with Adaptive Control Protocol
Templates. In , 2013.


[88] R. Paleari, L. Martignoni, G. F. Roglia, and D. Bruschi. A Fistful

of Red-Pills: How to Automatically Generate Procedures to Detect
CPU Emulators. In
(WOOT), 2009.


Practical comprehensive bounds on surreptitious communication over

dns. In ,

[90] R. Perdisci, W. Lee, and N. Feamster. Behavioral Clustering of

Network Traces. In
, 2010.
[91] N. Perlroth. Hackers in China Attacked The Times for Last 4
Months. , January 30 2013.

[92] M. Polychronakis, P. Mavrommatis, and N. Provos. Ghost Turns

Zombie: Ex- ploring the Life Cycle of Web-Based Malware. In

University of Birmingham | CPNI.gov.uk PAGE 34

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014


, 2008.

01, 2007.


[95] N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All Your

iFrames Point to Us. In ,

[96] N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N.

Modadugu. The Ghost in the Browser: Analysis of Web-based
Malware. In
, 2007.

[97] N. Provos, M. A. Rajab, and P. Mavrommatis. Cybercrime 2.0:

When the Cloud Turns Dark. , 52(4),

Emulators. In ,

[99] M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted

approach to understanding the botnet phenomenon. In
, 2006.

blacklists keep up with bots? In , 2006.

[101] A. Ramachandran, N. Feamster, and D. Dagon. Revealing

[102] M. Z. Raque and J. Caballero. FIRMA: Malware Clustering and

(RAID), 2013.


University of Birmingham | CPNI.gov.uk PAGE 35

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014


, 2010.

[104] C. Rossow and C. J. Dietrich. ProVex: Detecting Botnets

with Encrypted Com- mand and Control Channels. In

, 2013.

[105] J. Rutkowska. Red Pill... or how to detect VMM using (almost)

one CPU in- struction. http://www.invisiblethings.org/papers/
redpill. html, 2004.

Iran. , 1 June 2012.


[108] https://www.
schneier.com/ blog/archives/2013/03/security_awaren_1.html,

analysis using conditional code obfuscation. In
, 2008.

Zhang. An empirical analysis of phishing blacklists. In , 2009.

Awareness to Com- bat the Advanced Persistent Threat. In Proc.
, 2009.

behavior. In . 2008.

Locating Neighborhoods of Malware on the Web. 2010.

Kemmerer, C. Kruegel, and G. Vigna. Your Botnet is my Botnet:
Analysis of a Botnet Takeover. In
, 2009.

Through the iFrame. In
, 2011.

University of Birmingham | CPNI.gov.uk PAGE 36

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014


32(6), Dec. 2007.

detection based on network behavior. In
. 2008.


, 2012.


, 2011.


http://www.symantec.com/connect/blogs/linux-back- door-uses-
covert-communication-protocol, 2013.

Times Cyber Attack. http://www.symantec.com/connect/blogs/
symantec- statement-regarding-new-york-times-cyber-attack,

[123] .
Addison-Wesley Professional, 2005.


, 2011.

Favored APT Attack Bait. Technical report, Trend Micro Incorporated,

[126] A. Vasudevan and R. Yerraballi. Cobra: Fine-grained malware

analysis using stealth localized-executions. In
(Oakland.06, 2006.

Technical report, Verizon, 2013.

University of Birmingham | CPNI.gov.uk PAGE 37

Command & Control: Understanding, Denying and Detecting FEBRUARY 2014



[129] N. Villeneuve, N. Moran, and T. Haq. Evasive Tactics: Taidoor.

taidoor-3.html, 2013.


for censorship-resistant web browsing. In Proceedings of the 2012

, 2012.


for the tor anonymity system. In Proceedings of the 2012 ACM

conference on Computer and communications security, 2012.

[132] C. Wisniewski. Twitter botnet command and control captured.

http://nakedsecurity.sophos.com/2010/05/18/twitter- botnet-
command-control-captured/, 2010.

Command and Control.
, 10(3), 2013.

[134] ydklijnsma. Large botnet cause of recent Tor network overload.

http://blog.fox-it.com/2013/09/05/large-botnet-cause- of-recent-
tor-network-overload/, 2013.

detection. In DIMVA ’08: Proceedings of the 5th international
conference on Detection of Intrusions and Malware, and Vulnerability


[136] A. Young and M. Yung. Cryptovirology: Extortion-based security

[137] E. Young and E. Ward. Trojan.Downbot. http://www.symantec.

com/ security_response/writeup.jsp?docid=2011-052413-1248-
99, 2011.

Botgraph: Large scale spamming botnet detection. In , 2009.

University of Birmingham | CPNI.gov.uk PAGE 38