command-and-control server (C&C server)

Share This
Categories: Cyber Security

A command-and-control server (C&C server) is a computer that issues directives to digital devices that have been infected with rootkits or other types of malware, such as ransomware. C&C servers can be used to create powerful networks of infected devices capable of carrying out distributed denial-of-service (DDoS) attacks, stealing data, deleting data or encrypting data in order to carry out an extortion scheme. In the past, a C&C server was often under an attacker’s physical control and could remain active for several years. Today, C&C servers generally have a short shelf life; they often reside in legitimate cloud services and use automated domain generation algorithms (DGAs) to make it more difficult for law enforcement and white hat malware hunters to locate them.

A malicious network under a C&C server’s control is called a botnet and the network nodes that belong to the botnet are sometimes referred to as zombies. In a traditional botnet, the bots are infected with a Trojan horse and use Internet Relay Chat (IRC) to communicate with a central C&C server. These botnets were often used to distribute spam or malware and gather misappropriated information, such as credit card numbers.

Popular botnet topologies include:

  • Star topology – the bots are organized around a central server.
  • Multi-server topology – there are multiple C&C servers for redundancy.
  • Hierarchical topology – multiple C&C servers are organized into tiered groups.
  • Random topology – co-opted computers communicate as a peer-to-peer botnet (P2P botnet).

Since IRC communication was typically used to command botnets, it is often guarded against. This has motivated the drive for more covert ways for C&C servers to issue commands. Alternative channels used for botnet command include JPG images, Microsoft Word files and posts from LinkedIn or Twitter dummy accounts.