lolloj - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can a malicious C&C server remain undetected?

A command and control server for the "Gh0st" malware campaign went undetected for two years, according to security researchers. Expert Nick Lewis explains how it happened.

A command and control server in a malware campaign was recently reported to have survived for two years without...

being detected. How did this C&C server manage to hide this long? Are there better ways to stop these kinds of threats?

Palo Alto Networks' security researchers discovered that the "Gh0st" malware used a single C&C server for nearly two years. According to the researchers, the malware used a customer TCP protocol to communicate with the server and hide its malicious activity. In a follow up report, Trend Micro made a critical observation on the importance of the C&C server to threat actors -- that malware requires remote direction to perform the attack. Many steps of an attack have been automated, but a human is still needed to make the decision to advance the attack. This is similar to many other areas of IT where there is a desire to automate system management tasks. These same steps used by malware from a C&C server are very similar to other general IT system management tasks. Trend Micro outlines in its blog post the methods attackers have used in order to hide their C&C communications. The most common methods of hiding a C&C server including using Tor or similar technologies to remain on the deep Web or using a peer-to-peer network where the components communicate with one another rather than reporting back to a central server.

Closely monitoring all network connections may help you detect C&C communications, but this could be very difficult to perform on a large network. It would require monitoring all ports and protocols for signatures and anomalies, and can be done using tools from AlienVault, Damballa, FireEye, Trend Micro and many others. The signatures or indicators of compromise that were identified in previous attacks can help detect some new attacks, but targeted attacks may not be detected. Monitoring for anomalies is more difficult and requires an understanding of your network. Attackers know many of the shortcomings in network anomalies detection and can fly under that radar. Simply monitoring Internet connectivity may not be enough, as attackers often use legitimate popular websites, applications and cloud services as a C&C server to hide their malicious activity. This is where a host-based network monitoring tool might be able to detect an attacker moving laterally, or application level network monitoring becomes necessary for identifying anomalies to further investigate.

Next Steps

Learn more about how command and control servers govern malware

Find out if a new technique can de-anonymize malware

Read about the threat of self-deleting malware in the enterprise

This was last published in March 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal