A command and control server in a malware campaign was recently reported to have survived for two years without...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
being detected. How did this C&C server manage to hide this long? Are there better ways to stop these kinds of threats?
Palo Alto Networks' security researchers discovered that the "Gh0st" malware used a single C&C server for nearly two years. According to the researchers, the malware used a customer TCP protocol to communicate with the server and hide its malicious activity. In a follow up report, Trend Micro made a critical observation on the importance of the C&C server to threat actors -- that malware requires remote direction to perform the attack. Many steps of an attack have been automated, but a human is still needed to make the decision to advance the attack. This is similar to many other areas of IT where there is a desire to automate system management tasks. These same steps used by malware from a C&C server are very similar to other general IT system management tasks. Trend Micro outlines in its blog post the methods attackers have used in order to hide their C&C communications. The most common methods of hiding a C&C server including using Tor or similar technologies to remain on the deep Web or using a peer-to-peer network where the components communicate with one another rather than reporting back to a central server.
Closely monitoring all network connections may help you detect C&C communications, but this could be very difficult to perform on a large network. It would require monitoring all ports and protocols for signatures and anomalies, and can be done using tools from AlienVault, Damballa, FireEye, Trend Micro and many others. The signatures or indicators of compromise that were identified in previous attacks can help detect some new attacks, but targeted attacks may not be detected. Monitoring for anomalies is more difficult and requires an understanding of your network. Attackers know many of the shortcomings in network anomalies detection and can fly under that radar. Simply monitoring Internet connectivity may not be enough, as attackers often use legitimate popular websites, applications and cloud services as a C&C server to hide their malicious activity. This is where a host-based network monitoring tool might be able to detect an attacker moving laterally, or application level network monitoring becomes necessary for identifying anomalies to further investigate.
Learn more about how command and control servers govern malware
Find out if a new technique can de-anonymize malware
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.