What are the “Command and Control”, “C2 Server” servers for malware?

What are the “Command and Control”, “C2 Server” servers for malware?

 595 total views

2021-05-10 15:11:58

If you regularly read the articles in the “Network attack” section on the Network Administration, you must have come across phrases like “command and control server”, “Command and Control server”, ” C2 server “, or” C&C server “- especially in articles related to malicious code.

So what are these phrases used to refer to? What do they mean? Let’s find out right now.

What is Command and Control?

In the field of network security, an extremely common method used by cybercriminals to distribute and control malware on targeted systems is to use a “Command and Control” server. Command and Control), also known as C2 or C&C, is when bad guys use a central server to stealthily distribute malware to the target computer, executing commands are required for the malicious program and thereby take control of the device.

C&C is a particularly cunning attack method, because just one infected computer can become a bridge allowing hackers to take down the entire internal network. After the malware successfully enters an infected computer, the C&C server can order it to copy and spread itself to other computers on the network – this can easily happen because The malicious code has essentially bypassed the network’s firewall.

When the entire network becomes infected, an attacker can disable or encrypt infected devices to lock out users. WannaCry ransomware attacks in 2017 did exactly this scenario by infecting computers at critical facilities like hospitals, schools … Then encrypting them and demanding ransom. in bitcoin.

How does C&C work?

C&C attacks start with initial infection that can occur through channels such as:

  • Phishing emails contain links to malicious websites, or contain attachments with malware in them.
  • Vulnerabilities in some browser plugins.
  • User accidentally downloaded infected software.

Malware often gets into firewalls by disguising itself as something harmless – such as a legitimate software update, a seemingly urgent email, or a harmless attachment. .

Once successfully infected on the target device, the malware sends a signal back to the host computer operated by the hacker. The attacker can then take control of the infected device in the same way that a technical support staff can take control of your computer while remotely troubleshooting the problem. At this point, your computer can become a “bot” or “zombie” under the control of the attacker.

Then, the infected computer will find other computers (on the same network or via communication) by infecting them with malware. Ultimately, these machines form a “botnet” controlled by the attacker.


This type of attack is especially harmful to organizations and businesses. Infrastructure systems such as hospital databases or emergency response communications could be compromised.

If a database is compromised, a large amount of sensitive data can be stolen. In some of these attacks, malicious code is designed to run in the background permanently, as is the case with computers being hacked to mine cryptocurrencies without the user’s knowledge.

The C&C structure

Today, the main C&C server is usually hosted by hackers in the cloud, but it can also exist as a physical server under the direct control of the attacker. Attackers can customize their C&C servers themselves according to several different topology or topologies:

  • Star topology: Bots are organized around a central server.
  • Multi-server topology: Multiple C&C servers are used for redundancy.
  • Hierarchical topology: Multiple C&C servers are organized into a hierarchy of groups.
  • Random topology: The infected computers communicate as a peer-to-peer botnet (P2P botnet).

Attackers typically use internet chat forwarding protocol (IRC) for their network attacks. C&C is a way for attackers to use protections against IRC-based network threats.

From 2017 onwards, hackers tend to use apps like Telegram as the command and control center for malware.

Hackers can do this when they have control

When an attacker has control over a network or even just one computer on that network, they can:

  • Data theft by transferring or copying documents and information to their servers.
  • Force one or more shutdowns or continually restart, interrupting operation.
  • Conduct distributed denial of service (DDoS) attacks.

How to defend against C&C attacks

As with most other types of cyber attacks, defending against C&C attacks will require an effective combination of protection software and human actions. You should:

  • Find out the signs of a phishing email.
  • Be wary of clicking on any links and attachments.
  • Update your system regularly and run quality antivirus software.
  • Consider using a password generator or taking the time to create unique passwords. Use a dedicated password manager.

Most cyber attacks require a victim to do something to trigger a malicious program, such as clicking a link or opening an attachment. Therefore, caution will be the deciding factor here.


#Command #Control #Server #servers #malware

Leave a Reply

Your email address will not be published. Required fields are marked *