Browse Definitions :

command-and-control server (C&C server)

What is a command-and-control server?

A command-and-control server (C&C server) is a computer that issues directives to digital devices that have been infected with rootkits or other types of malware, such as ransomware. C&C servers can be used to create powerful networks of infected devices capable of carrying out distributed denial-of-service (DDoS) attacks, stealing data, deleting data or encrypting data in order to carry out an extortion scheme.

In the past, a C&C server was often under an attacker's physical control and could remain active for several years. Today, C&C servers generally have a short shelf life; they often reside in legitimate cloud services and use automated domain generation algorithms to make it more difficult for law enforcement and ethical malware hunters to locate them.

How does a C&C server work?

For a C&C attack to materialize, a malicious remote server known as a C&C server must gain a foothold into an already infected machine. Most devices such as laptops, desktops, tablets, smartphones and IoT devices are vulnerable to this type of attack.

Command-and-control server attacks are typically carried out through the following channels:

  • Phishing emails that trick users into clicking malicious links or attachments.
  • Malvertising that distributes malware by injecting malicious code inside digital advertisements.
  • Vulnerable browser extensions and plugins that may introduce malicious scripts into interactive webpages to redirect, block and steal information entered into online forms.
  • Malware that's directly installed on a device to initiate malicious commands.

After the successful invasion of a device, a threat actor establishes communication with the malicious C&C server to send instructions to the infected host and form a malicious network. A malicious network under a C&C server's control is called a botnet and the network nodes that belong to the botnet are sometimes referred to as zombies. Beaconing can also be used between the infected device and the C&C server to deliver instructions or additional payloads.

Once the infected host starts executing the commands sent by the C&C server, further malware is installed, which gives the threat actor full control over the compromised machine. To avoid detection by firewalls, threat actors might try to blend C&C traffic with other types of legitimate traffic, including HTTP, HTTPS or domain name system.

Architecture of a C&C botnet
A botmaster initiates an attack on the victim's device by connecting to the C&C server and using it to compromise channels through phishing, DDoS and spam.

C&C server malicious use cases

Even with cybersecurity and threat intelligence mechanisms in place, organizations may not always effectively monitor outbound communications. This may let certain outbound communication channels -- including phishing emails, lateral movements or infected websites -- weave their way into a network and inflict damage.

C&C servers act as the headquarters where all activities related to the targeted attack report back. Besides installing malware, a threat attacker may use a C&C server to carry out the following malicious activities:

  • Data theft. A threat actor can move an organization's sensitive data, such as financial records, to the C&C server.
  • Reboot devices. Cybercriminals can use a C&C attack to disrupt usual ongoing tasks by rebooting compromised machines.
  • Network shutdown. Threat actors can use these attacks to bring down either a few machines or shut down an entire network.
  • DDoS attacks. Hackers may try to disrupt web services or bring down a website by sending a massive number of DDoS requests to the server's IP address. This can cause a traffic jam, which prevents legitimate traffic from accessing the network.
  • Misuse of future resources. A C&C attack may be carried out to disrupt legitimate applications to negatively affect future resources. One example of this is the SolarWinds breach from 2020, where threat actors secretly transmitted malicious code into the company's software system, which was then inadvertently sent out by SolarWinds as part of its software updates to customers. The code stayed dormant for months, creating a backdoor to the victims' machines, and was used by threat actors to spy and install additional malware.
  • Advanced persistent threat (APT). An APT may not launch immediately or will stay dormant after infecting a certain host, waiting for a better attack opportunity. For example, a threat actor may try to sell the C&C server or a hosting package to the victim to generate more profit.

Popular botnet topologies

A botnet is a group of malware-infected and internet-connected bots that are controlled by a threat actor. Most botnets have a centralized command-and-control architecture, although peer-to-peer (P2P) botnets are on the rise due to their decentralized nature, which offers more control to the threat actors.

Popular botnet topologies include the following:

  • Star topology. The bots are organized around a central server.
  • Multi-server topology. There are multiple C&C servers for redundancy.
  • Hierarchical topology. Multiple C&C servers are organized into tiered groups.
  • Random topology. Co-opted computers communicate as a P2P botnet.
  • P2P. Each bot operates independently as both a client and a server. Due to the lack of centralized control, a P2P botnet architecture is more aggressive and harder to detect.

In a traditional botnet, the bots are infected with a Trojan horse and use Internet Relay Chat (IRC) to communicate with a central C&C server. These botnets are often used to distribute spam or malware and gather misappropriated information, such as credit card numbers. Since IRC communication is typically used to command botnets, it's often guarded against. This has motivated cybercriminals to find more covert ways for C&C servers to issue commands. Alternative channels used for botnet commands include JPEG images, Microsoft Word files and posts from LinkedIn or Twitter dummy accounts.

Botnets can fuel DDoS attacks by taking advantage of IoT vulnerabilities. Learn how hackers create an IoT botnet and initiate a DDoS attack to infect networks.

This was last updated in October 2022

Continue Reading About command-and-control server (C&C server)

  • firewall as a service (FWaaS)

    Firewall as a service (FWaaS), also known as a cloud firewall, is a service that provides cloud-based network traffic analysis ...

  • private 5G

    Private 5G is a wireless network technology that delivers 5G cellular connectivity for private network use cases.

  • NFVi (network functions virtualization infrastructure)

    NFVi (network functions virtualization infrastructure) encompasses all of the networking hardware and software needed to support ...

  • cybersecurity

    Cybersecurity is the practice of protecting internet-connected systems such as hardware, software and data from cyberthreats.

  • Advanced Encryption Standard (AES)

    The Advanced Encryption Standard (AES) is a symmetric block cipher chosen by the U.S. government to protect classified ...

  • operational risk

    Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business ...

  • Risk Management Framework (RMF)

    The Risk Management Framework (RMF) is a template and guideline used by companies to identify, eliminate and minimize risks.

  • robotic process automation (RPA)

    Robotic process automation (RPA) is a technology that mimics the way humans interact with software to perform high-volume, ...

  • spatial computing

    Spatial computing broadly characterizes the processes and tools used to capture, process and interact with three-dimensional (3D)...

  • OKRs (Objectives and Key Results)

    OKRs (Objectives and Key Results) encourage companies to set, communicate and monitor organizational goals and results in an ...

  • cognitive diversity

    Cognitive diversity is the inclusion of people who have different styles of problem-solving and can offer unique perspectives ...

  • reference checking software

    Reference checking software is programming that automates the process of contacting and questioning the references of job ...

Customer Experience
  • martech (marketing technology)

    Martech (marketing technology) refers to the integration of software tools, platforms, and applications designed to streamline ...

  • transactional marketing

    Transactional marketing is a business strategy that focuses on single, point-of-sale transactions.

  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...