A command and control server in a malware campaign was recently reported to have survived for two years without...
being detected. How did this C&C server manage to hide this long? Are there better ways to stop these kinds of threats?
Palo Alto Networks' security researchers discovered that the "Gh0st" malware used a single C&C server for nearly two years. According to the researchers, the malware used a customer TCP protocol to communicate with the server and hide its malicious activity. In a follow up report, Trend Micro made a critical observation on the importance of the C&C server to threat actors -- that malware requires remote direction to perform the attack. Many steps of an attack have been automated, but a human is still needed to make the decision to advance the attack. This is similar to many other areas of IT where there is a desire to automate system management tasks. These same steps used by malware from a C&C server are very similar to other general IT system management tasks. Trend Micro outlines in its blog post the methods attackers have used in order to hide their C&C communications. The most common methods of hiding a C&C server including using Tor or similar technologies to remain on the deep Web or using a peer-to-peer network where the components communicate with one another rather than reporting back to a central server.
Closely monitoring all network connections may help you detect C&C communications, but this could be very difficult to perform on a large network. It would require monitoring all ports and protocols for signatures and anomalies, and can be done using tools from AlienVault, Damballa, FireEye, Trend Micro and many others. The signatures or indicators of compromise that were identified in previous attacks can help detect some new attacks, but targeted attacks may not be detected. Monitoring for anomalies is more difficult and requires an understanding of your network. Attackers know many of the shortcomings in network anomalies detection and can fly under that radar. Simply monitoring Internet connectivity may not be enough, as attackers often use legitimate popular websites, applications and cloud services as a C&C server to hide their malicious activity. This is where a host-based network monitoring tool might be able to detect an attacker moving laterally, or application level network monitoring becomes necessary for identifying anomalies to further investigate.
Learn more about how command and control servers govern malware
Find out if a new technique can de-anonymize malware
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading