Information about the overall threat landscape can be gathered from many sources. One useful method is by looking at the overall activity of command-and-control (C&C) servers, as used in botnets, targeted attacks, and in attacks against the broader Internet user base.
We are able to combine various threat intelligence sources, including feedback from the Trend Micro™ Smart Protection Network™, to get a glimpse of C&C server activity. (these are displayed in real time on the Global Botnet Map). Our findings below reflect the information we gathered throughout all of 2014. We are able to examine the location of C&C servers, the location of endpoints, as well as the malware families that use these servers.
So what can we learn from these numbers, and can IT professionals help reduce this threat?
Malware using more ways to ensure server communication
We measured the most commonly used malware families, as measured by the number of command-and-control servers tied to these specific families. For all C&C server activity, these were the most commonly used families:
For targeted attacks, these were the most commonly seen families:
Some trends can be seen from these numbers:
- Malware families that use domain generation algorithms (DGAs) like CRILOCK are well-represented in the lists, highlighting their popularity. Despite the differences in underlying behavior (crypto-ransomware versus information stealers), DGAs are popular as they make blocking of malicious domains more difficult with relatively little added expenditure of effort on the part of attackers.
- Compromised sites are also popular C&C servers. ZeuS/ZBOT and RODECAP are both known to use compromised sites for their C&C servers, and both families are known to use this particular tactic extensively.
- Similarly, free web hosting providers and dynamic IP redirection services are commonly used by some malware families such as NJRAT and DarkComet.
- Many remote access tools (RATs) that were initially used in targeted attacks have now been used in various cybercrime-related attacks as well. This highlights the increased availability of these RATs, as well as the low entry barrier to registering and setting up C&C domains.
Taken together, these developments show how attackers are adopting more techniques to try and obfuscate the C&C servers under their control. This can make forensic analysis of these attacks much more difficult, making detection and attribution potentially problematic.
Location of Servers
Attackers’ attempts at attack obfuscation have rendered attempts to attribute attacks via C&C servers difficult, if not impossible. As a result, attribution based solely on C&C server location is not reliable. Further threat intelligence must be acquired before any conclusions about attribution can be made.
Our findings for the locations of C&C servers mirror this: most C&C servers are not located in countries thought of as cybercrime havens. Instead, they broadly mirror the broader Internet landscape: countries with plentiful infrastructure to host servers of any kind are popular with cybercriminals.
Table 1. Locations of C&C servers (all C&C activity)
Table 2. Locations of C&C servers (targeted attacks only)
Effects of compromised servers
Owners of compromised servers should be aware of the possible repercussions to their own networks so long as their systems are being abused to act as command-and-control servers. Some of these possible repercussions include:
Potential theft of server/organization information
A server may contain or have access to valuable company information, which may be of value to an attacker. A server that is under the control of an attacker in this manner can have this information stolen very easily.
In addition, the presence of a compromised server can be used by an attacker as a valuable jumping off point for lateral movement. A server under the control of an attacker is a valuable foothold into a network; this could lead to an even more disastrous large-scale data breach.
Disruption to legitimate services
The presence of C&C software on a server may disrupt legitimate applications, by using up CPU or memory resources normally used by legitimate functions. Normal services may be delayed, suspended, or stop running entirely.
Misuse of future resources
An administrator unaware of the scope of C&C activity within their network may invest resources into improvements that may not be justified by the company’s business requirements. Instead of helping an organization, this would instead help the attackers (as they would gain access to improved resources for their attacks).
The importance of C&C communications detection
A C&C infrastructure is a critical component of an attackers toolkit for perpetrating crime due to the need to have a dedicated connection between themselves and their victims network. This means that it is a key opportunity to break the infection chain. Trend Micro has added C&C communications detection capabilities into most of our solutions today, including OfficeScan, Deep Security, Deep Discovery, messaging and gateway solutions, since the C&C systems could be located anywhere within a network. This additional layer of protection allows our customers to identify new sources of infection and mitigate a potential breach quickly.
Cybercriminals and other threat actors have made significant advances in obfuscating the locations of their C&C servers. This means that attributing attacks to parties based only on their C&C server location is problematic; these conclusions must be made with additional threat intelligence if this is available.
This ability to hide C&C server locations is evident from our data. The location of servers broadly matches those of countries with well-developed Internet infrastructure that supports large numbers of servers.
Update as of March 5, 2015, 07:59 AM PST
The blog post has been updated to clarify the difference between botnet activity and C&C activity.