Cyber Security – Attacking through Command and Control

A C&C- Command, and Control server is basically a computer in control of a hacker or any cybercriminal, etc. which is maliciously used for commanding the various systems that have already been exploited or compromised by malware, and these servers are also used for receiving the desired data by the hacker from the compromised machines covertly on the target network. Now, as C&C servers are easily able to pivot through and blend in the target network easily, so many organizations have started using various types of cloud-based services.

How C&C Works?

In this section, we will be discussing various Command and Control techniques used.

1. Vindictive organization hacks have been on the ascent in the most recent decade. One of the most harming exploits, frequently executed over DNS, is cultivated through command and control, additionally called C2 or C&C.

2. The hacker firstly begins the attack by exploiting a machine inside the target organization, which may be behind a firewall. This should be possible in an assortment of ways:

  • By means of phishing.
  • Through vulnerabilities in browser plugins.
  • Through the execution of various malicious programs or applications on the victim machine.

3. Thereafter, when a computer over the target network has been compromised and connection has been established, then the exploited machine acknowledges the attacker machine by sending it signals for further commands.



4. This victim machine will execute the further commands incoming from the hacker’s C&C server, and may forcefully download other supporting software for the further attack.

5. Now, the hacker has accomplished the mission of having complete control of the victim’s machine and therefore can run any kind of malicious code on it. Similarly, the malicious code will further easily pivot through the network; completely comprising the whole IT infrastructure of an organization, which will ultimately lead to the creation of a network of already compromised machines also known as a botnet.

6. In this way, a hacker can get full unauthorized access over the target’s network.

7. C&C works as the base camp to which the malware used in the attack, recursively reports the sniffed or stolen data recursively, and also the various attack supporting commands are stored on the server. In order to pivot through a network a vital step in such a type of attack is establishing the C&C connections.

8. C2 servers also serve as a headquarter for the already exploited machines in a botnet. It very well may be utilized to disperse commands that can take information, spread malware, upset web administrations, and the sky is the limit from there.

9. Besides permitting aggressors to take information, the presence of C&C programs on a machine may likewise disturb genuine applications and cause the abuse of future assets.

Botnet Architecture in C&C Server

1. The Centralized Model: Sort of network model where all clients interface with a focal system, which is the acting operator for all correspondences.

  • This system/server would store both the correspondences and the client account data.
  • Most open texting stages utilize a unified organization.
  • Additionally, called concentrated mainframe structure.

2. Peer-to-Peer Model: Peer-to-Peer computing or systems administration is a circulated application design that allotments errands or outstanding burdens between peers.



  • Peers or nodes connected are similarly favored, equipotent members in the application.
  • They are said to frame a shared organization of hubs.
  • Nodes make a few of their assets, for example, preparing power, circle stockpiling or organization data transmission, straightforwardly accessible to other organization members, without the requirement for focal coordination by workers or stable hosts.
  • Peers are the two providers and buyers of assets, rather than the conventional customer worker model in which the utilization and gracefully of assets are isolated.
  • Developing cooperative P2P frameworks are going past the period of friends doing comparative things while sharing assets, and are searching for different companions that can acquire extraordinary assets and abilities to a virtual network accordingly enabling it to take part in more noteworthy undertakings past those that can be cultivated by singular friends, yet that are helpful to all the peers.

3. Random Model: Arbitrary geography botnets don’t depend on any C&C mainframes; rather, all botnet orders are sent legitimately starting with one bot then onto the next on the off chance that they are considered to be “marked” by some uncommon methods showing that they have begun from the botnet proprietor or another approved client.

  • Such botnets have extremely high dormancy, and will frequently take into account numerous bots inside a botnet to be identified by an analyst with just one caught bot.
  • Commonly extraordinary types of the scrambled bot to bot correspondence over open distributed organizations are utilized related to a more perplexing C&C mainframe geography, (for example, in the TDL-4 botnet) to deliver such botnets that are especially hard to destroy.

Exploits Using C&C

  • Stealing of Information: Delicate information, for example, budgetary records, can be duplicated or moved to a hacker’s server.
  • Closure: An aggressor can close down one or a few machines, or in any event, shut down the entire organization’s network.
  • Reboot: Exploited PCs may out of nowhere and consistently may get to closure and reboot, which can disturb typical ongoing tasks.
  • Distribute Denial of Service: DDoS attacks overwhelm the server with numerous requests, or we can with huge internet traffic. Once a botnet is established, an attacker can instruct each bot to send a request to the targeted IP address, creating a traffic jam of request for the targeted address or targeted server. Thus, legitimate traffic is denied access. This type of attack can be used to take a website down.

C&C Detection

1. Observing all inbound and outbound traffic on a nonstop premise: The control explicitly proposes observing enormous exchanges of information or unapproved traffic, which may occur during the exfiltration period of an exploit.

2. Distinguishing abnormalities in network streams: The control suggests searching for inconsistencies in the organization traffic which might be demonstrative of malware action, (for example, C2 correspondences) or of already exploited machines.

3. Logging DNS inquiries and applying notoriety checks: The control proposes checking DNS demands for endeavors to determine known malevolent areas or endeavors to do C2 communications.

4. Utilizing boycotts: Use boycotts to deny correspondence from interior machines toward known malevolent hosts.

5. Putting away organization traffic: Putting away the organization traffic and cautions in logs examination frameworks for additional investigation and assessment, Capturing and breaking down netflow information to distinguish odd movement.

6. Distinguishing the unapproved utilization of encryption in network traffic: The reasoning here is that malware may utilize encryption to exfiltrate delicate information bypassing toolkits, (for example, DLPs) that depend on the examination of traffic content.

7. Hindering admittance: Hindering admittance to realized record move and email exfiltration locales. Looking for irregularities in rush hour gridlock designs.

8. Fragmenting the organization as indicated by trust zones: This action can be especially gainful in the event that it is broken down conceivable to unmistakably isolate high-hazard segments of the organization from high-esteem parts.

9. Guarantee that customers question interior DNS servers: Guarantee that the customer questions the interior DNS servers which can be observed and whose answers can be controlled to, for instance, forestall admittance to known malevolent or unapproved areas.

Controls For C&C

1. Screen all inbound and outbound traffic: All the more definitely, it is critical to review inbound traffic for indications of hacks that may prompt contamination, for ex-plentiful, drive-by-download, or phishing assaults. Outbound traffic ought to be broken down searching for signs that a C2 channel has been set up (information exfiltration, Command and Control registration, and so forth).

2. Recognize and review peculiarities in the organization’s traffic: The reasoning is that focused assaults depend on a foundation that is less inclined to be remembered for the most part accessible arrangements of pernicious endpoints or to utilize C2 methods (e.g., conventions) that are utilized additionally by broad malware. At that point, zeroing in on distinguishing abnormal traffic would empower protectors to get these novel dangers. There are two presumptions basic this proposal: directed assaults bring about strange traffic and abnormal traffic means that bargain. The two suppositions may be reexamined every now and then: we have seen that aggressors are concocting new techniques to “mix-in” with the typical traffic; the qualities of traffic on an organization may change as new administrations and gadgets are presented.

3. Gather explicit subsets of organization traffic: Gather explicit subsets of organization traffic specifically DNS questions and netflow information. Inspiration for this suggestion is that it might be simpler to gather such information, as opposed to setting up a full organization checking framework. As we have seen from our writing survey, a few methodologies have been contrived to distinguish C2 traffic dependent on these sources of info.

4. Engineer the organization: Engineering the organization helps to improve traffic checking and the enactment of reactions to assaults. For instance, by having a solitary gag point where all traffic goes through, an association is dissected can rearrange the full assortment of traffic and its investigation.

5. Screen network action: This will help to distinguish association endeavors to known-awful endpoints, i.e., IPs and areas that are known to be utilized in assaults. The reasoning is that admittance to these endpoints can be forestalled, expecting that proper components are set up (e.g., firewalls). The key perspective here is obviously that of making and keeping up exceptional arrangements of noxious endpoints.

Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.




My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.