Hi everyone,
Previous article: Malware Analysis #7 - Bytes and HEX
This is only a quick thread update, I am currently working on another thread which actually goes more in-depth with malware analysis. It's linked to HEX, and will include using it to analyse a malware sample.
Anyway, this thread is here to explain what a C&C server is, and what they are used for:
C&C/CnC stands for Command and Control. It's used by malware to be guided on what it should do. For example, it may be a worm houdini or any other threat, however the houdini may connect to the C&C and it will be sent instructions on what it should do. This may include information theft, the uploading of the users files, downloading more malware (trojan downloader), and so on.
Commonly, they are used by botnets, but of course it doesn't have to be a botnet to take advantage of C&C servers... Many malware samples use the technique to be instructed on what information it should steal, etc.
Overview of what C&C servers may be used for (there are many uses, I will list some below):
- Send what Operating System the user is running
- Retrive the Antivirus currently installed on the system
- Download more malware (of course it doesn't require a C&C server for this but it may use one)
- Send whether it has spread the sample (e.g. if it was a Houdini worm)
- View files on your system and send this information back
- Execute a new process
- Kill a process
- Send a list of processes currently active in memory
- Update the payload
- Create startup entries
- Even uninstall itself from the system
If anything is incorrect as usual, correct it by letting me know to edit it!
Cheers.
Previous article: Malware Analysis #7 - Bytes and HEX
This is only a quick thread update, I am currently working on another thread which actually goes more in-depth with malware analysis. It's linked to HEX, and will include using it to analyse a malware sample.
Anyway, this thread is here to explain what a C&C server is, and what they are used for:
C&C/CnC stands for Command and Control. It's used by malware to be guided on what it should do. For example, it may be a worm houdini or any other threat, however the houdini may connect to the C&C and it will be sent instructions on what it should do. This may include information theft, the uploading of the users files, downloading more malware (trojan downloader), and so on.
Commonly, they are used by botnets, but of course it doesn't have to be a botnet to take advantage of C&C servers... Many malware samples use the technique to be instructed on what information it should steal, etc.
Overview of what C&C servers may be used for (there are many uses, I will list some below):
- Send what Operating System the user is running
- Retrive the Antivirus currently installed on the system
- Download more malware (of course it doesn't require a C&C server for this but it may use one)
- Send whether it has spread the sample (e.g. if it was a Houdini worm)
- View files on your system and send this information back
- Execute a new process
- Kill a process
- Send a list of processes currently active in memory
- Update the payload
- Create startup entries
- Even uninstall itself from the system
If anything is incorrect as usual, correct it by letting me know to edit it!
Cheers.
Last edited by a moderator:
