*** Welcome to piglix ***

Command and control (malware)


In the field of computer security, command and control (C&C) infrastructure consists of servers and other technical infrastructure used to control malware in general, and, in particular, botnets. Command and control servers may be either directly controlled by the malware operators, or themselves run on hardware compromised by malware. Fast-flux DNS can be used as a way to make it difficult to track down the control servers, which may change from day to day. Control servers may also hop from DNS domain to DNS domain, with domain generation algorithms being used to create new DNS names for controller servers.

In some cases, computer security experts have succeeded in destroying or subverting malware command and control networks, by, among other means, seizing servers or getting them cut off from the Internet, denying access to domains that were due to be used by malware to contact its C&C infrastructure, and, in some cases, breaking into the C&C network itself. In response to this, C&C operators have resorted to using techniques such as overlaying their C&C networks on other existing benign infrastructure such as IRC or Tor, using peer-to-peer networking systems that are not dependent on any fixed servers, and using public key encryption to defeat attempts to break into or spoof the network.

The methods on which a Command and control is built for communications. The architecture evolved over time, and not all C&C exhibit the same topology for command and control. Advanced topology is more resilient to shutdown, enumeration or discovery. However, some topologies limit the marketability of the botnet to third parties. Typical botnet topologies are star, multi-server, hierarchical and random.

The Client–server model appeared on the first types of botnets that appeared online and has usually been built on Internet Relay Chat or by using Domains or Websites which will have the commands listed for the botnet to be controlled. Commands tend to be simpler and botnets tend to be smaller if built on an IRC network. Since IRC networks require low bandwidth and use simple methods for communication they have also been used to host botnets and tend to be simple in construction. They have been used many times for coordinating DDoS attacks or spam campaigns while switching channels to avoid being taken down. However, blocking certain keywords has sometimes proved effective in stopping a botnet based on IRC.


...
Wikipedia

...