Command and Control Server:
A command and control server which is also known as C2 server, this is a server which is used by cybercriminals to manage and control their malware or botnets. The c2 server acts as an centralized server to send instructions to the infected devices and receive the data.
So here the attacker will control the c2 server. All the victims will connect to the c2 server over the internet. The connection method may vary like bind or reverse shell. The attacker will connect to the c2 server and control all the victims. The c2 server runs multiple sessions so that there can be a group of people command over the c2 server.
If the victim system is known to be compromised the system administrator can easily block the communication between the c2 server and victim by simply blacklisting the dns or ip of the c2 server. Also if the ip address of c2 server if compromised then it is easy for the people to backtrack the attacker. So the attacker uses multiple layers of proxy network before connecting to the victim system. But still there is a way to backtrack unless it is much complicated and always changing.
The idea is to place the command and control server behind the tor network. So the system administrator cannot block communication between the c2 server and the victim pc. Yes the system user can monitor the network traffic and find it there is tor network traffic by identifying the tor exit nodes. To overcome this, the tor community not only has public list of tor exit nodes they also maintain a private list of tor exit nodes which we can configure out c2 server to use it.
One of the challenge in implementing this is the communication between victim and c2 server after compromising the victim pc. The tor network is not accessible on the plain network, we need to use tor proxy to access the tor network and then connect to the c2 server.
There are some ways I can come up with:
- Connecting using the publicly available tor proxies which are not reliable and always changing.
- Using the tor binary which is needed to be included in the malicious executable which makes the antivirus detection easies.
So here the main idea is to implement this project to make it work over the tor network perfectly more than the antivirus detection evasion so i am going with the second option.
Will update the progress………
Found this very useful! Thanks for the content Suryah
Good shout.