One of the ways that malware activity on a network is spotted is via the activity of their network activity. However, in many cases this can be difficult to detect: there have been incidents where command-and-control (C&C) servers were able to stay online and pose a problem for many years. This particular group of threat actors was active for more than five years, and used a single C&C server for two years.
Malware, unlike future artificial intelligence, is generally not self-aware and requires direction from an attacker to function well. That’s where C&C servers come in. While these are commonly thought of as limited to use by botnets, that is less true than it is today: many different threats require C&C servers to function correctly today, not just botnets.
Previously C&C servers were limited to IRC servers that controlled victim machines via chatroom commands. Since then, it has become essentially standard for all malware to include some form of remote control in order to perform the following functions:
- receive commands to perform directed malicious routines
- report system information for tracking purposes
- sends stolen information to an external drop zone
- allow an attacker complete control of the affected machine
The infrastructure of these C&C servers has also improved over time. Servers are able to stay in use for far longer periods of time due to the use of increasingly sophisticated techniques. C&C servers have been implemented in ways to make them resilient to take downs, difficult to detect, and disguise their origins. In this post, we describe the most popular methodologies used to circumvent security solutions and maintain control for longer periods of time, starting with the more sophisticated techniques. This may give some insight into how attackers operate and how their activities can be stopped.
The purpose of this document is to make recommendations on how to browse in a privacy and security conscious manner. This information is compiled from a number of sources, which are referenced throughout the document, as well as my own experiences with the described technologies.
I probably never posted about this site on here but I still reference it quite frequently and I highly recommend it to anybody who is concerned with their online privacy. This is a must-read and gets updated as needed with new tools and resources.
Here is a list of all the domains caught so far sending your data back to Microsoft in Windows 10:
Warning: Block them at your own risk. You may break some updating functionality.