Skip to main content

Command and control servers, also known as C&C or C2 servers, are utilized by attackers to maintain communication with all the compromised systems in a target network.

When security professionals were asked about malware almost half of them were unfamiliar with the CC communication techniques. As their name suggests these commands and control servers send commands and control compromised systems.

How malware enters a system

Malware can enter via myriad channels. The perimeter network defenses used nowadays are similar to firewalls, meaning their IDS and virus signatures are ineffective for unknown exploits.

The most common method used for malware infection is via email phishing attempts. In this method, the victim is tricked into opening an attachment or asked to link with a malicious site with an embedded payload.

Phishing is a major malware problem
Not affiliated with the band Phish

This payload then compromises the machine using system vulnerabilities. A lot of companies only allow approved and known traffic to their network but are liberal about what is allowed in using the internet.

The bots that write malware programs are aware that there will be defenses in place for inbound connections via firewalls. So they are able to write code for evading these anti-malware and antivirus programs.

You need the most advanced security software to make sure you’re defended against all kinds of threats

Several targeted infections can succeed in compromising your system. Malicious attempts risk large volumes of sensitive business data being stolen while you are sharing them with colleagues. When you send files you need to exercise caution while selecting the program.

Techniques for preventing damage

One of the more popular commands and control communication techniques uses publicly available DNS servers instead of systems within a private network. These persistent and advanced hackers try to utilize public DNS services to avoid logging into the private network and thereby circumvent the risk of detection.

Hackers are relentless threats
Hackers use a number of avenues to attack. You must be ready to defend on many fronts.

Another commonly used technique for avoiding detection is by leveraging dynamic hosting websites. The infected entities behave like humans rather than computers as there are fewer IP address requests. The infected systems might use any kind of DNS service which can make them more stealthy and tough to catch without having other IOCs.

Strengthen your own security with hardware solutions!

Spotting the communications of an infected host requires an understanding of how the system works normally. Identifying malicious programs involves a system-and-network level analysis to identify the communication method used by the malware and which of your system programs are generating this suspicious traffic.

You can isolate a suspect computer, capture and analyze its network behavior, and then correlate this info with logs from proxy systems and DNS. If a person is not logged on to a system and is not generating traffic via web browsing and emails, it means you there should only be a small amount of traffic.

Noisy applications are easy to identify, evaluate, and terminate as a starting place for the isolation of the system processes and any communications that are generated.

For example, if the connection attempts to use the external DNS servers or uses non-standard ports via a firewall, it means the traffic is suspicious and indicates infection.

By cutting off these communications you take the initiative to remedy the malware infection, using a command and control network. Every infected computer has to be cleaned and updated to prevent future infection.

Isolating threats can be a long and arduous process
You have to know your system to protect your system

Various security teams can prevent malware intrusion if they can concentrate on disrupting the communication with all the command and control nodes. It would be unrealistic to expect to prevent malware from achieving any foothold within a business, as inevitably some users are going to click on email attachments resulting in infections.

All the signature-based tools such as malware detection and antivirus are not very effective most of the time. These security teams have to concentrate on preventing malware from communicating with the command and control server to effectively break off the kill chain. Any business will have to strictly adhere to some fundamental security practices to accomplish this.


To successfully beat threats like these, a business has to break the communication channel to their command and control server and maintain visibility over all the suspicious traffic. This will take them a long way towards stopping the advent of more advanced malware.

Find solutions for all your business needs at Newegg Business

Ben Tibbels

Author Ben Tibbels

Forged in the fiery heart of Nebraska, this comedian turned tech writer enjoys video games, tabletop RPGs, board games, fantasy novels, and craft beer. He lives in LA with his bride-to-be and their two corgis, Carl and Fry.

More posts by Ben Tibbels

What's your take?