Revision as of 10:36, 4 November 2016 edit Bullaful (talk \| contribs) Extended confirmed users 760 edits →Systems used for Command and Control ← Previous edit		Revision as of 16:10, 4 November 2016 edit undo Pintoch (talk \| contribs) Extended confirmed users 2,763 edits m change \|id={{citeseerx}} to \|citeseerx= Next edit →
Line 3: <ref>{{cite web\|url=http://www.cpni.gov.uk/documents/publications/2014/2014-04-11-cc_qinetiq_report.pdf\|title=Command & Control: Understanding, denying, detecting\|publisher=[[Centre for the Protection of National Infrastructure]]\|date=2014}}</ref><ref>{{cite web\|url=http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf\|title=Command and Control in the Fifth Domain\|publisher=Command Five Pty Ltd\|date=Feb 2012}}</ref> Command and control servers may be either directly controlled by the malware operators, or themselves run on hardware compromised by malware. [[Fast-flux DNS]] can be used as a way to make it difficult to track down the control servers, which may change from day to day. Control servers may also hop from DNS ___domain to DNS ___domain, with [[___domain generation algorithm]]s being used to create new DNS names for controller servers.<ref>{{cite web\|url=http://www.pcworld.idg.com.au/article/417011/malware_increasingly_uses_dns_command_control_channel_avoid_detection_experts_say/\|date=29 February 2012\|access-date=28 March 2016\|work=PC World\|title=Malware increasingly uses DNS as command and control channel to avoid detection, experts say}}</ref> In some cases, computer security experts have succeeded in destroying or subverting malware command and control networks, by, among other means, seizing servers or getting them cut off from the Internet, denying access to domains that were due to be used by malware to contact its C&C infrastructure, and, in some cases, breaking into the C&C network itself.<ref>{{cite web\|title=Detecting and Dismantling Botnet Command and Control Infrastructure using Behavioral Profilers and Bot Informants\|url=http://wwweb.eecs.umich.edu/fjgroup/botnets/}}</ref><ref>{{cite web\|url=https://www.cs.ucsb.edu/~chris/research/doc/acsac12_disclosure.pdf\|title=DISCLOSURE: Detecting Botnet Command and Control Servers Through Large-Scale NetFlow Analysis\|publisher=ACM\|work=Annual Computer Security Applications Conference\|date=Dec 2012}}</ref><ref>{{cite conference\|idciteseerx = ~~{{citeseerx\|~~10.1.1.110.8092}}\|title=BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic\|date=2008\|conference=Proceedings of the 15th Annual Network and Distributed System Security Symposium}}</ref> In response to this, C&C operators have resorted to using techniques such as overlaying their C&C networks on other existing benign infrastructure such as [[IRC]] or [[Tor (anonymity network)\|Tor]], using [[peer-to-peer networking]] systems that are not dependent on any fixed servers, and using [[public key encryption]] to defeat attempts to break into or spoof the network. ==Architecture of Command and Control types==

Command and control (malware): Difference between revisions