|
#REDIRECT [[Botnet#Command_and_control]] {{R from Merge}}
{{hatnote|For other uses of the term, see [[Command and control (disambiguation)]]}}
In the field of [[computer security]], '''command and control''' (C&C) infrastructure consists of [[server (computing)|server]]s and other technical infrastructure used to control [[malware]] in general, and, in particular, [[botnet]]s.
<ref>{{cite web|url=http://www.cpni.gov.uk/documents/publications/2014/2014-04-11-cc_qinetiq_report.pdf|title=Command & Control: Understanding, denying, detecting|publisher=[[Centre for the Protection of National Infrastructure]]|date=2014}}</ref><ref>{{cite web|url=http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf|title=Command and Control in the Fifth Domain|publisher=Command Five Pty Ltd|date=Feb 2012}}</ref> Command and control servers may be either directly controlled by the malware operators, or themselves run on hardware compromised by malware. [[Fast-flux DNS]] can be used as a way to make it difficult to track down the control servers, which may change from day to day. Control servers may also hop from DNS ___domain to DNS ___domain, with [[___domain generation algorithm]]s being used to create new DNS names for controller servers.<ref>{{cite web|url=http://www.pcworld.idg.com.au/article/417011/malware_increasingly_uses_dns_command_control_channel_avoid_detection_experts_say/|date=29 February 2012|access-date=28 March 2016|work=PC World|title=Malware increasingly uses DNS as command and control channel to avoid detection, experts say}}</ref>
In some cases, computer security experts have succeeded in destroying or subverting malware command and control networks, by, among other means, seizing servers or getting them cut off from the Internet, denying access to domains that were due to be used by malware to contact its C&C infrastructure, and, in some cases, breaking into the C&C network itself.<ref>{{cite web|title=Detecting and Dismantling Botnet Command and Control Infrastructure using Behavioral Profilers and Bot Informants|url=http://wwweb.eecs.umich.edu/fjgroup/botnets/}}</ref><ref>{{cite web|url=https://www.cs.ucsb.edu/~chris/research/doc/acsac12_disclosure.pdf|title=DISCLOSURE: Detecting Botnet Command and Control Servers Through Large-Scale NetFlow Analysis|publisher=ACM|work=Annual Computer Security Applications Conference|date=Dec 2012}}</ref><ref>{{cite conference|id = {{citeseerx|10.1.1.110.8092}}|title=BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic|date=2008|conference=Proceedings of the 15th Annual Network and Distributed System Security Symposium}}</ref> In response to this, C&C operators have resorted to using techniques such as overlaying their C&C networks on other existing benign infrastructure such as [[IRC]] or [[Tor (anonymity network)|Tor]], using [[peer-to-peer networking]] systems that are not dependent on any fixed servers, and using [[public key encryption]] to defeat attempts to break into or spoof the network.
==Architecture of Command and Control types==
The methods on which a Command and control is built for communications.
The architecture evolved over time, and not all C&C exhibit the same [[topology (computing)|topology]] for command and control. Advanced topology is more resilient to shutdown, enumeration or discovery. However, some topologies limit the marketability of the botnet to third parties. Typical botnet topologies are star, multi-server, hierarchical and random.
===Client–server model===
[[Image:Server-based-network.svg|thumb|200px|A network based on the client-server model, where individual clients request services and resources from centralized servers]]
The Client–server model appeared on the first types of botnets that appeared online and has usually been built on Internet Relay Chat or by using Domains or Websites which will have the commands listed for the botnet to be controlled. Commands tend to be simpler and botnets tend to be smaller if built on an IRC network.
Since IRC networks require low bandwidth and use simple methods for communication they have also been used to host botnets and tend to be simple in construction. They have been used many times for coordinating DDoS attacks or spam campaigns while switching channels to avoid being taken down. However, blocking certain keywords has sometimes proved effective in stopping a botnet based on IRC.
Most of the largest botnets that have been built tended to use domains rather than IRC in their construction.(see [[Rustock botnet]] see also [[Srizbi botnet]].)
Almost always they have been hosted with bullet proof hosting services.(See [[Bulletproof hosting]].)
Since most of the time botnets based on the Client-server model have been taken down in a matter of time, hackers have moved toward P2P as an alternative to avoid botnet takedowns.
Botnet servers are typically redundant, linked for greater redundancy so as to reduce the threat of a takedown. Actual botnet communities usually consist of one or several controllers that rarely have highly developed command hierarchies; they rely on individual peer-to-peer relationships.<ref>{{cite web|title=what is a Botnet trojan?|url=http://www.dslreports.com/faq/14158|publisher=DSL Reports|accessdate=7 April 2011}}</ref>
The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, finding one server with one botnet channel can often reveal the other servers, as well as their bots. A botnet server structure that lacks [[redundancy (engineering)|redundancy]] is vulnerable to at least the temporary disconnection of that server. However, recent [[IRC server]] software includes features to mask other connected servers and bots, eliminating that approach.{{citation needed|date=February 2015}}
===Peer-to-peer===
[[Image:P2P-network.svg|thumb|200px|A peer-to-peer (P2P) network in which interconnected nodes ("peers") share resources amongst each other without the use of a centralized administrative system]]
Since most of the time IRC networks and Domains can be taken down with time, hackers have moved on to P2P as a way to make it harder to be taken down. Some have even been known to use encryption as a way to secure or lock down the botnet from others, most of the time when they use encryption it is Public-Key encryption and has presented challenges in both implementing it and breaking it. (See [[Gameover ZeuS]] See also [[ZeroAccess botnet]].)
Some newer botnets are almost entirely P2P. Command and control is embedded into the botnet rather than relying on external servers, thus avoiding any single point of failure and evading many countermeasures.<ref>{{cite book|authors=Wang, Ping|chapter=Peer-to-peer botnets|editors=Stamp, Mark & Stavroulakis, Peter|title=Handbook of Information and Communication Security|publisher=Springer|year=2010|isbn=9783642041174|url=https://books.google.com/books?id=I-9P1EkTkigC&pg=PA335|display-authors=etal}}</ref> Commanders can be identified just through secure keys, and all data except the binary itself can be encrypted. For example, a spyware program may encrypt all suspected passwords with a public key that is hard-coded into it, or distributed with the bot software. Only with the private key (known only by the botnet operators) can the data captured by the bot be read.
In the P2P method of command and control the bot only tends to know a list of peers of which it can send commands to and that are passed on to other peers further down the botnet. The list tends to be around 256 peers which allows it to be small enough for it to allow commands to be quickly passed on to other peers and makes it harder to disrupt the operation of the botnet while allowing it to remain online if major numbers of peers are taken down in a takedown effort.
==Systems used for Command and Control==
{{Unreferenced section|date=March 2016}}There have been different ways Command and Control (C&C) have been implemented.
Here are some of the common and well known types of C&C listed.
===Domains as C&C===
This is one of the earliest types of C&C known.
A [[zombie (computer science)|zombie]] computer accesses a specially-designed webpage or ___domain(s) which serve the list of controlling commands.
The advantages of using a webpages or domains as C&C is that a large botnet can be effectively controlled and maintained with very simple code that can be readily updated.
Disadvantages of using this method are that it uses a considerable amount of bandwidth at large scale, and domains can been quickly seized by government agencies without much trouble or effort. If the domains controlling the botnets are not seized, they are also easy targets to compromise with [[denial-of-service attack]]s.
===IRC as C&C===
IRC networks use simple, low bandwidth communication methods making them widely used in the past to host botnets. They tend to be relatively simple in construction, and have been used with moderate success for coordinating DDoS attacks and spam campaigns while being able to continually switch channels to avoid being taken down. However, in some cases the mere blocking of certain keywords has proven effective in stopping IRC-based botnets.
===P2P as C&C===
Peer-to-peer botnets with Command and Control based on peer-to-peer technology have been more less recent in the threat landscape.
Since most of the time IRC networks and domains can be taken down with time, hackers have moved on to P2P as a way to make it harder to be taken down.
Some have even been known to use encryption as a way to secure or lock down the botnet from others, most of the time when they use encryption it is [[public-key cryptography]] and has presented challenges in both implementing it and breaking it.
==See also==
*[[Advanced Persistent Threat]]
*[[Low Orbit Ion Cannon]]
*[[Zeus (malware)]]
==References==
{{reflist|30em}}
==External links==
* [https://sourceforge.net/projects/loic-irc-0/ LOIC IRC-0 - An Open-Source IRC Botnet for Network Stress Testing]
* [https://sourceforge.net/projects/loic-slow-irc/ LOIC SLOW IRC Now Able to Use Webpages And IRC as C&C]
* [http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software Build your own botnet with open source software]
[[Category:Malware]]
| 