3

When hackers put trojan horses on someones PC, those programs (which are, by definition, just stealthy RATs with some... extra features) need to communicate with them somehow. A direct peer-to-peer connection to their own PC is obviously impossible due to NATs being installed in pretty much any modern Network. Even if they used port forwarding or more obscure techniques like UDP hole punching, their IP address would instantly be revealed to anyone investigating the attacked PC.

So, to my understanding, they'd need to use some kind of server. Is there a way for them to anonymously purchase servers so that they can't be traced back? Or can they use proxys/VPN's on the victim's PC + port forwarding in their own network to not only hide their target's IP to the ISP but also their own IP to anyone investigating their victim's PC? This surely must be impossible since the IP has to be stored somewhere within the binary, right?

Anders
  • 64,406
  • 24
  • 178
  • 215
DLCom
  • 133
  • 4
  • There are many different ways a hacker might hide their identity. Certainly though, it is **highly** unlikely that many use their own personal PC at home as the C&C server for their botnet. I mean, I'm sure someone has done it, but it's not a good idea. – Conor Mancone Sep 13 '19 at 20:19
  • Tor is pretty popular for C&C communication. It routes connections for you so you don't need to worry about connecting directly to the server or port forwarding. It's also supposed to be pretty ok at preventing the server IP address from being discovered. – user Sep 13 '19 at 20:24

1 Answers1

7

Malware communication is today often done to some central servers where both the malware and the attacker connect to and thus can build a communication channel. Variations can include multiple servers or malware and attacker connecting to different systems which then build a connection to each other. It is thus some kind of proxy architecture and not a direct connection. But there are also P2P architectures in use for malware communication.

This surely must be impossible since the IP has to be stored somewhere within the binary, right?

The target IP address does not need to be stored but there needs to be a way to determine it. Directly using the IP address is too inflexible and also allows to easily detect and block the malware communication by just detecting and blocking this target IP address.

Using a DNS name is more flexible since the attacker can switch the current addresses for a domain name he owns. But it can also easily be detected and blocked as long as the infected system is using a name server controlled by the defender. Some malware therefore uses a different name server (which is not too hard to detect either) and some even switches to DNS over HTTPS which is much harder to detect and analyze.

Other methods include the deterministic dynamic generation of domain names (DGA - domain generation algorithm) so that blocking of a single domain name is no longer enough. This often requires reverse engineering the malware to reconstruct the algorithm of the DGA or to detect the use of generated domain names based on their syntax or behavior (typically using statistical analysis and machine learning).

And then there is malware which uses seemingly unsuspicious communication channels to find the current location of their peers or to get instructions, like Twitter or Instagram or DNS. Communication to this seemingly innocent targets is much harder to detect and block especially if done encrypted but might be done by analyzing traffic patterns or peculiarities of the TLS handshake. But this needs even more effort by the defender then in the previous cases, which also means that it costs more performance and that the necessary equipment is more expensive.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Also obfuscation and encryption are many times used in the malware code to hide the C&C IPs/domains. – Overmind Sep 17 '19 at 06:07