I recently attended the Black Hat USA 2012 in Las Vegas. During the conference, I focused my attention on cyberespionage. This involves attackers who are on a mission with well-defined objectives. They are a source of persistent, targeted attacks. I learned a lot about command and control during my training. Command and control — also known as C&C or C2 — is a major component of the cyber kill chain.
I had the opportunity to build two different command-and-control servers during my training at Black Hat — one with Zeus and one with Poison Ivy. Zeus is designed from the ground up as malware, to facilitate identity theft and to leverage that to steal money or intellectual property.
Poison Ivy is actually called “Poison Ivy: Remote Administration Tool” by the author. At one time he expressed shock that it was being used by foreign governments to spy on their own people. It is more suited to remote access and surveillance than to scripted attacks.
The Zeus server took a long time to set up, partly because of network issues. We started with blank virtual machines (VMs) and built a Linux server from the ground up. The nice thing about that approach is that it makes the build reproducible. With a good network connection, it should be possible to build a server in an hour or two. By contrast, with no preparation, Poison Ivy takes five minutes to set up and deploy.
Zeus has exploit capabilities that are well suited to robbing banks; it also has surveillance capabilities and many add-ons. Backconnect — an optional plug-in module for Zeus that provides additional capabilities — makes it possible to proxy traffic through the victim’s computer. Integration with instant messaging via Jabber helps the attacker get to a keyboard when a window of opportunity opens up.
Setting up a botnet is surprisingly quick, so an intruder could easily learn and deploy several technologies in their attack. Infecting multiple systems with different technologies, using different attack vectors, would help the attacker maintain a foothold after an intrusion is discovered.
A bot can be transferred from one C2 server to another. Thieves are starting to sell bots to spies. Malware that comes in via typical, untargeted channels can later be used to leverage a targeted attack. It’s important for an organization to know if they have a typical infection or are under a targeted attack. It’s like knowing the difference between an ear infection and cancer, as you will see in my post about remediation.