|
#REDIRECT [[Botnet#Command_and_control]] {{R from Merge}}
{{hatnote|For other uses of the term, see [[Command and control (disambiguation)]]}}
In the field of [[computer security]], '''command and control''' (C&C) infrastructure consists of [[server (computing)|server]]s and other technical infrastructure used to control [[malware]] in general, and, in particular, [[botnet]]s.
<ref>{{cite web|url=http://www.cpni.gov.uk/documents/publications/2014/2014-04-11-cc_qinetiq_report.pdf|title=Command & Control: Understanding, denying, detecting|publisher=[[Centre for the Protection of National Infrastructure]]|date=2014}}</ref><ref>{{cite web|url=http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf|title=Command and Control in the Fifth Domain|publisher=Command Five Pty Ltd|date=Feb 2012}}</ref> Command and control servers may be either directly controlled by the malware operators, or themselves run on hardware compromised by malware. [[Fast-flux DNS]] can be used as a way to make it difficult to track down the control servers, which may change from day to day. Control servers may also hop from DNS ___domain to DNS ___domain, with [[___domain generation algorithm]]s being used to create new DNS names for controller servers.<ref>{{cite web|url=http://www.pcworld.idg.com.au/article/417011/malware_increasingly_uses_dns_command_control_channel_avoid_detection_experts_say/|title=29 Feb 2015|work=PC World|title=Malware increasingly uses DNS as command and control channel to avoid detection, experts say}}</ref>
In some cases, computer security experts have succeeded in destroying or subverting malware command and control networks, by, among other means, seizing servers or getting them cut off from the Internet, denying access to domains that were due to be used by malware to contact its C&C infrastructure, and, in some cases, breaking into the C&C network itself.<ref>{{cite web|title=Detecting and Dismantling Botnet Command and Control Infrastructure using Behavioral Profilers and Bot Informants|url=http://wwweb.eecs.umich.edu/fjgroup/botnets/}}</ref><ref>{{cite web|url=https://www.cs.ucsb.edu/~chris/research/doc/acsac12_disclosure.pdf|title=DISCLOSURE: Detecting Botnet Command and Control Servers Through Large-Scale NetFlow Analysis|publisher=ACM|work=Annual Computer Security Applications Conference|date=Dec 2012}}</ref><ref>{{cite conference|id = {{citeseerx|10.1.1.110.8092}}|title=BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic|date=2008|conference=Proceedings of the 15th Annual Network and Distributed System Security Symposium}}</ref> In response to this, C&C operators have resorted to using techniques such as overlaying their C&C networks on other existing benign infrastructure such as [[IRC]] or [[Tor (anonymity network)|Tor]], using [[peer-to-peer networking]] systems that are not dependent on any fixed servers, and using [[public key encryption]] to defeat attempts to break into or spoof the network.
==Systems Used for Command and Control==
There have been different ways Command and Control(C&C) have been implemented.
Here are some of the common and well known types of C&C listed.
===Domains as C&C===
This is one of the earliest types of C&C known.
A zombie computer access a certain webpage or ___domain(s) in which commands are listed for it to be controlled.
The advantages of using a webpages or domains as C&C are most of the time simpler coding and easy to update and maintain a large botnet without much issues.
The disadvantages of using webpages or domains is high bandwith needed if a large botnet is built, also many domains have been seized by government agencies in order to take down a botnets without much trouble or effort.(mainly requires a court order to seize the ___domain.)The domains can be also a target for Denial of Service attacks which would take the botnet offline.
===IRC as C&C===
Since IRC networks require lowbandwith and use simple methods for communication they have been also used to host botnets and are tend to simple in construction and have been used many times for coordinating DDoS attacks or spam campaigns while switching channels to avoid being taken down.
Although blocking certain keywords has sometimes proved effective in stopping a botnet based on IRC.
===P2P as C&C===
Peer to Peer botnets with Command and Control based on Peer to Peer technology have been more less recent in the threat landscape.
Since most of the time IRC networks and Domains can be taken down with time, hackers have moved on to P2P as a way to make it harder to be taken down.
Some have even been known to use encryption as a way to secure or lock down the botnet from others, most of the time when they use encryption it is Public-Key encryption and has presented challenges in both implementing it and breaking it.
==See also==
*[[Malware]]
*[[Advanced Persistent Threat]]
*[[Zombie (computer science)]]
*[[Botnet]]
*[[Low Orbit Ion Cannon]]
*[[ZeroAccess botnet]]
*[[Zeus (malware)]]
==References==
{{reflist|colwidth=30em}}
==External Links==
* [https://sourceforge.net/projects/loic-irc-0/ LOIC IRC-0 - An Open-Source IRC Botnet for Network Stress Testing]
* [https://sourceforge.net/projects/loic-slow-irc/ LOIC SLOW IRC Now Able to Use Webpages And IRC as C&C]
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own botnet with open source software]
[[Category:Malware]]
{{computer-security-stub}}
| 