Command and Control Server are centralized servers which are able to send commands and a part of Botnet. Botnet is group of computers to run automated program. The bots (came from the English words – “robots”) can run on the networked computers whose network connections are available as well as on local resources and collect the available data. So, as can be understood, Command and Control Server can be used for good purpose or for illegal purpose.
The term botnet is widely used when several IRC bots have been linked and may possibly set channel modes on other bots and users while keeping IRC channels free from unwanted users. This is where the term is originally came from, since the first illegal botnets were similar to legal botnets. A fully illegal botnet can bring DDoS attack, for example.
In the same way, these Command and Control Servers can be used for Advanced Persistent Threat. These illegal botnet operators install the bots without the knowledge of the owner of the computers and use them for their own purposes. Most bots can be a part of a botnet operator (also known as botmaster) and are monitored via a communication channel to send and receive commands. This is known as a command-and-control server or in short form: C & C, to be very precise.
Command and Control Server versus Botnet
Command and Control Server are usually taken as the illegal counterpart of the Botnet. The vast majority of bots have a functionality that allows the operator of a botnet to communicate with them. This includes the retrieval of data by a bot and the distribution of new instructions. Technically there is no difference in pure form, but quite obviously, illegal works need no permission from the owners. The terminologies – Command and Control Technologies, per se is not limited to illegal work (it is taken as jargon to be the illegal part).
Command and Control Server Technologies
IRC in the 90’s, was a popular solution for Internet chat. Legitimate and useful bots, such as eggdrop have been developed to help the users in the IRC and communication management. This simple technique become the first C & C strategy. When communicating over an IRC channel, the bots make a client connection to an IRC server. Commands are executed without delay and the operator gets an immediate feedback of the bots. An IRC C & C server is very easy for a bot herder to create and manage. When a computer is infected, the zombie tries to connect to the IRC server and channel.
If the connection was successful, the bot herders can control the bot. This can be done individually or globally via private messages to all the zombies within the channel. To make this more efficient, some botmaster create a “theme” for the channel, which is a command for the bots, such as updates or to perform a DDoS attack.
Followed by the use of private servers and passwords, C & C technologies have been continuously improved ! The first technology used multiple interconnected IRC servers using the usual IRC technology. IRC is designed in a manner that a plurality of servers can be interconnected to form a network of servers. While using this technique, the addresses of all servers are hard coded in the bot. These then try to connect to each of these addresses. If a connection is made between server and client, then the bot logs into the channel where the bot are instructed. As you can see, this technology has its limits, which is why DNS records were introduced at that time.
Nowadays tools can be bought for a few hundred dollars or so. These tools include mostly web-based vulnerabilities customized to become malicious code that is not detected by antivirus programs and a web-based Command and Control Engine, which includes a back-end database to store stolen information.