Paper: C&C-As-A-Service

Artturi Lehtiö, a researcher on our Threat Intelligence team, recently presented a paper on abusing third-party web services as C&C channels at VB2015.

C&C-As-A-Service: Abusing Third-Party Web Services As C&C Channels

Here’s the abstract:

A secure, reliable and undetectable method of communicating with and controlling malware is essential for modern malware operations. But designing, implementing and maintaining your own communication infrastructure isn’t an easy task. Coincidentally, malware operators aren’t the only ones interested in secure and reliable communication. Popular web services also want to provide their customers with a secure and reliable service. Add to that the fact that popular web services generate large amounts of indistinguishable web traffic to blend into and it starts to sound irresistible. Unsurprisingly then, recent years have seen a growing trend among malware operators of abusing third-party web services such as Twitter, Facebook, and Gmail as command and control channels.

This paper explores the multitude of ways in which modern malware abuses third-party web services as command and control channels. Through real life examples – from common cybercrime to targeted nation-state espionage – the paper provides a comprehensive overview of both the methods employed by malware and the web services most commonly abused. This paper further analyses the benefits and disadvantages that are provided to malware operators when they abuse third-party web services as command and control channels. Finally, this paper also examines the challenges that such methods pose to the detection and prevention of malware.

Slides from Artturi’s presentation can be downloaded at Virus Bulletin.

And the paper from here: C&C-As-A-Service. [PDF]

Articles with similar Tags