Malicious Implications of Command and Control (C&C) Capable Malware

By Special Guest
Steve Gates, Chief Research Analyst, NSFOCUS

As of the writing of this article, industry researchers have recently identified a new piece of Android (News - Alert) malware reportedly infecting millions of Android devices around the world. According to the initial malware research, “Once [the malware permissions are] elevated to root, the malware establishes communication with one of its C&C servers. From the server, the malware downloads a list of malicious Android application packages.”  It appears the malware in this case was used to increase advertisement revenue for the perpetrators. However, could the malware infected devices create even more havoc?

When I first reviewed the aforementioned research, the main characteristic of the malware that raised my brow was the capability to establish and maintain long-term command and control (C&C) over these devices. Command and control can be explained as “Remote attackers having complete control of your device without your knowledge.”  Once C&C is established and maintained, it allows attackers to do whatever they want with the infected devices in their collections.

Any piece of malware that utilizes C&C does enable some pretty scary scenarios.  It’s not the malware itself that scary, but rather what can be done with the millions of devices attackers have compromised through C&C methods.   From spreading more malware, to stealing data on the device, to capturing keyboard input, to building bigger-and-bigger botnets, it’s really up to the attacker to determine what they do with the infected machines at their disposal. In addition, a huge portion of the infected devices in the case mentioned above likely have 4G LTE (News - Alert) capabilities.  4G LTE allows those devices to realistically have more bandwidth at their disposal than what is typically found in most homes.  The implications of the potential number of C&C-enabled devices, in addition to the amount of bandwidth at their disposal, could allow attackers to build a botnet with significant and overwhelming DDoS attack firepower.

Although reports differ, the largest DDoS attacks on record are somewhere between 500-600 Gbps.  Most of these reported attacks were a combination of NTP or SSDP reflective/amplified DDoS attacks during which attackers capitalized on the amplification factor those protocols provide.  This type of DDoS attack allowed attackers to ramp up packet sizes with smaller numbers of botnet infected machines; effectively filling up large numbers of 10G Internet pipes with bogus traffic.  In all of these cases, attackers had C&C access to a large number of infected devices.  Using C&C communications, botnet infected machines were instructed by attackers to begin taking part in a concerted attack, and were capable of generating massive amounts of DDoS attack traffic.

Building enormous botnets of Android devices (or any other operating system) with C&C enabled could allow attackers to easily move beyond reflective/amplified DDoS attacks.  When millions of devices are being controlled remotely, amplification of attack traffic becomes less of a concern for attackers.  Since attackers potentially have C&C access to millions of devices, simply instructing those devices to go to a victim’s websites, could generate enough traffic to easily take those sites offline by filling pipes, and consuming all available resources.  This is where the scenario gets even more interesting.

One of the most difficult DDoS attacks to defeat is when all attacking devices use real IP addresses. In this case, the millions of DDoS attacking devices are not spoofing their IP addresses, and will respond to almost any L3/L4 challenge. (Which means they will act like real devices, not botnet infected devices.) How do you determine if a device is being run by a legitimate user vs. a malicious attacker?  That’s no easy task, since every device and their traffic appears to be from a “legitimate” device. 

How can organizations protect themselves from this growing and potentially crippling menace of large numbers of Android devices with C&C enabled? Trying to protect oneself from these devices by blocking large parts or the Internet’s IPv4 space will end up doing little more than blocking legitimate users. This is where global threat research, real-time IP threat intelligence, and industry-level information sharing can be utilized to help solve this problem.

Organizations that perform global threat research build huge lists of known malicious IP addresses, as well as C&C servers from their observations and research. Next, organizations share that information across their customer base in the form of real-time IP threat intelligence feeds.  Once obtained, customers then apply the IP threat intelligence to their anti-DDoS systems, NGIPS, WAF, etc. to help defeat the malicious intent these machines represent by blocking all traffic originating from the IP addresses of infected devices obtained from these feeds.

Other independent researchers who discover infected devices with C&C enabled should feel compelled to share that information with others.  Regardless of whether that information is commercially or freely available, that information has tremendous value to those looking to protect themselves from this threat vector. Many organizations would likely be willing to pay for the information independent researchers would be willing share.

Finally, it is recommended that organizations select vendors who not only provide IP threat intelligence feeds, but also do their own research and have agreements in place with other research firms; including their IP threat intelligence by way of supplementary intelligence feeds.  In addition, organizations need to insure their on-premises defense technologies (i.e. anti-DDoS, NGIPS, WAF) have the ability and capacity to update themselves regularly and frequently with the information included in the IP threat intelligence feeds.  In the industry we call this actionable intelligence – using intel to provide “real” protection.

About the Author

Stephen Gates, Chief Research Analyst at NSFOCUS,  is a recognized Subject Matter Expert on DDoS attack tools and methodologies, including next-generation defense approaches.