Most of today's malware contacts back to the command and control server (C&C) after being installed in a victim's computer. The C&C is controlled by threat actors, which are able to access the installed malware and execute nasty things like stealing information such as bank credentials, installing spyware or key loggers, or encrypting files for ransom (ransomware).
Of course, the C&C server has to be located somewhere on the web, and this is what security researchers and law enforcement agencies are interested in taking down. With the help of law enforcement, botnets and C&C sites are taken down right after security researchers are able to identify the bad site.
Technologies used to connect to C&C
By design, IP addresses are hardcoded in to the malware. This could be a single IP address for small downloaders to multiple IP’s for the more sophisticated malware. By having multiple IP addresses hard coded, the malware has a better probability of infection.
The reasoning is a single IP can host many base domains and throw into the aspect of housing sub domains on these base domains, greatly leverages the power of the internet in a spider web format. Compromised and legitimate domains perform this activity and with multiple domains hardcoded, the chance for success is higher as when a single IP is used. When a IP is taken down, the cc server will contact another on the list and so on.
Malware Analysts can extract the hardcoded addresses during the reverse engineering process. These IP addresses are analyzed daily and are sent for blacklisting for the malicious domains and a temporary 72 hr. black status for compromised sites. Compromised site are web sites that are legitimate but have been attacked by threat actors and taken over temporarily. A 72 hr. window is used across the industry as most prominent sites have their security team fix the vulnerabilities on their site within that period.
Attackers also use the power of peer-to-peer networking to gain resiliency. Attackers try to evade vendors and blacklisting by using peer-to-peer sharing in a decentralized network. The concept is that every victim on a peer-to-peer network has access and shares and receives the same data to the network. Thus, if one of the victims is down, the data still exists in the network.
When all of the victim computers in the peer-to-peer network are compromised, not all of the victims can share or seed information due to firewall restrictions. The victim computers that allow seeding are those we call nodes. If all nodes are down, the peer-to-peer dies. However, in reality, these nodes cannot easily be taken down since these are still compromised legitimate sites. In addition, while new victims become nodes, it would be harder to kill the peer-to-peer network in this instance.
Initial nodes are still required and are hardcoded in the malware. Taking down these initial node sites would prevent further victims of the same malware variant.
For the case of Kelihos malware, continuous generation of new variants seem to contain new nodes making it hard to kill the malware even if no attacker activities are made.
In a peer-to-peer network, the attacker can simply tap to the Network. Today, security systems usually rely on blacklisted sites and web reputation. As of today, these are still a very powerful ways to block bad sites.
To evade detection and have C&C resiliency, threat actors now use Domain Generation Algorithms.
Domain Generation Algorithm (DGA)
Using the date and a seed number, a DGA generates domains to which an infected computer connects.
A different list of domains can be generated every day, all with unique, pseudo-random alphanumeric names. One or several of the generated domains are preselected by the threat actors, which are able to schedule registration and set up the domain for malicious services or C&C. Since they know when contact will be made, in a short period of time, several attempts are made to connect to the generated domains with high success rates of infection.
In the time it takes for law enforcement agencies to investigate the bad domain, attackers may have already switched to a new domain before the previous one can be shut down.
However, the advantage for security researchers is that after extracting the DGA from the malware, the succeeding list can be predicted.
Security researchers usually submit these generated domains to what we call sinkholes. (https://en.wikipedia.org/wiki/DNS_sinkhole)