Few topics in current cybersecurity generate as much press as command and control servers (C2s). They enable the cybercrime that often affects companies and individuals far outside the IT industry.

As we bring machines and networks into the most intimate corners of our lives and every facet of business, we also bring their associated threats. For example, those devices can be transformed into an army that serves others’ malicious purposes. We may have paid for the devices, but attackers often use them, without our knowledge or consent.

For that reason, learning the fundamentals and a few details about C2s benefits nearly everyone.

What Is a Command and Control Server?

Command and control servers (C2s) are the brains of the malware operation. Currently most malware does not utilize AI – though some are already planning for that eventuality. That means most malware requires someone or something to issue commands and receive stolen data. C2s do this. They serve as attackers’ remote controls.

Whether it’s directing a botnet or transmitting stolen output to the end user, a C2 enables communication between the attacker and the target. The target could be one device, hundreds within one system or hundreds of thousands.

Because of this, establishing and maintaining a C2 connection is an essential step for threat actors. Without it, they’d only be able to do half their dirty job. Attackers need to execute commands in order to control the outcome.

Four main types of C2s are used today: a centralized server under their physical control by the attacker, bulletproof hosting, social networks, and cloud services.

Within each of these environments, C2s usually control botnets.

What’s a Botnet?

You’ve probably heard of a “botnet.” The term comes from the words “robot” and “network.” A botnet is a network of malware-infected, autonomous devices (computers, IoT devices, or smart phones) that threat actors connect through the Internet, and then use to do their bidding.

Some botnets are quite sophisticated; all vary in size and complexity.

You’ve probably heard about botnets because of their adaptability. It makes them handy tools for ransomware, root kits and other malware. Consequently, botnet attacks have steadily increased. Now they’re perhaps the most prevalent cybersecurity threat.

Botnets come in different forms or topologies:

• star, a centralized system with one C2 that connects to each bot in its network;
• multiserver, which for redundancy uses multiple C2s;
• hierarchical wherein multiple C2s are arranged into a tiered system that allows for bots doing different, coordinated tasks, as well as more difficult detection of its entire system;
• and random, which is often P2P/peer-to-peer, dynamic and communicates across multiple paths, making the cybersecurity team’s job much harder.

C2 botnet attacks are highly resilient. And all that aforementioned variety lends itself to a variety of malicious activity – denial of service attacks, spamming, identity and data theft, brute force attacks, and traffic monitoring.

Just as we call the devices in a botnet “bots” (or “zombies”), you can call the attacker who controls them a “bot herder” or “botmaster”. As if individual bot herders didn’t pose enough threat, many are also effectively bot brokers. They rent botnets to other cybercriminals so they can gain control of compromised machines.

Shutting down these operations can be difficult, but each success brings great gains to the entire Internet community.

How to Manage Threats from Command and Control Servers?

Knowing C2 addresses can help protect against malicious activities and coordinated attacks. With that information, companies can block access, create alerts on their systems or investigate communications between C2s and samples.

These days, the average age of a C2 is about a month. So it’s best to stay on top of monitoring. Malware Patrol has a data feed that’s updated hourly. Using this kind of feed will keep potential targets informed and benefit their defenses.

C2s may be ubiquitous, but they’re not invincible.

By Tenea D. Johnson

Founder, Progress By Design