When it comes to defeating trojans, there’s one key to it all: Command and Control Centers (aka C & C Centers, or C2 Centers). C2 Centers are the very heart of the hacker’s operation. Copies of the files you read, the keystrokes you type, the videos you watch, etc. are all packaged and sent to the hacker’s C2 Center. Also, when a hacker wants to control your computer, such as uploading a file, he does so through the C2 Center as well.
Even though C2 Centers are the very heart of the hacker’s operation, half of the security experts at large companies aren’t familiar with them. This lack of knowledge results in tragic consequences. For the golden key to stopping hackers is to sever their malware’s connection to the C2 Center. The moment you do so, the hacker’s entire operation falls apart.
On the bright side, security firms such as TechTarget are finally identifying the golden key:
“Security teams can effectively stop a malware intrusion if they focus on disrupting communications with command-and-control nodes. It’s unrealistic to attempt to prevent the malware from gaining a foothold in an enterprise because users will inevitably click on an email attachment or link, causing an infection. And signature-based tools, such as antivirus and malware detection, are not effective half the time. Security resources should focus on stopping malware from communicating with the command-and-control server, effectively breaking the kill chain.” — Tech Target
TechTarget is absolutely correct: The key to effectively stopping hackers is to stop their “malware from communicating with the command-and-control server, effectively breaking the kill chain.”
Deloitte ranked Looking Glass the 90th fastest growing company in North America for 2016. Looking Glass has also come to realize the golden key to stopping hackers:
“Most embedded malware requires instructions from a command and control server in order to perform pernicious acts such as data exfiltration or scrambling data for ransom. But almost every advanced malware needs a DNS lookup to communicate with a C2 server. Stopping the DNS lookup stops the malware in its tracks.”
The cybersecurity industry is awakening to the paradigm in which hackers can finally be defeated: Focus on severing the malware’s connection to the hacker’s C2 Center. Thus, the ultimate question now becomes: What’s the most reliable way to do this? That’s where Terra Privacy’s Hacker Deterrent comes in.
Newly Discovered Trojans and their C2 Centers
Learning about C2 Centers is the key to winning the war against hackers. Therefore, let’s explore some newly discovered trojans and their C2 Centers.
In a previous post we recently discussed Trojan T9000. Even though this trojan bypasses every popular antivirus and firewall, it still needs to communicate with its C2 Server located at 184.108.40.206.
Consider also a recent email sent by Operation Lotus Blossum. This group sent trojan-laden emails to people interested in attending a security conference hosted by Palo Alto Networks. The email claimed to be from Palo Alto, offering free tickets to the event. Those who signed up were infected with secret spyware. This spyware communicated with its C2 Server located at 220.127.116.11.
Some trojans have the option to talk to any one of multiple C2 Centers; and they can even use domain names to do so. The 9002 Google Drive trojan is a good example of this. This trojan communicates with following C2 Servers:
Unfortunately, for about $50, anyone can set up their own trojan/C2 Center operation with off-the-shelf software. Palo Alto Networks recently dissected an off-the-shelf trojan/C2 Center program entitled LuminosityLink. Palo Alto Networks discovered that users of this do-it-yourself kit created many thousands of C2 Servers, including:
- 3,308 subdomains on ddns.net
- 2,537 subdomains on duckdns.org
- 904 subdomains on no-ip.biz
- 670 subdomains on chickenkiller.com
- 378 subdomains on no-ip.org
- 377 subdomains on mooo.com
- 242 subdomains on fishdns.com
- 174 subdomains on no-ip.info
- 165 subdomains on ignorelist.com
- 157 subdomains on freedns.su
So how does this information help us finally stop hackers in their tracks?
TechTarget, Looking Glass, and Terra Privacy LLC all understand that the key to stopping hackers is to sever the malwares’ connections to their C2 Centers. However, there are two opposite approaches to doing do:
- Blacklist Approach: Used by TechTarget and Looking Glass
- Dynamic Whitelist Approach: Patented method used by Terra Privacy’s Hacker Deterrent
Blacklists try to identify C2 Center connections based on IDs and internal characteristics of previously discovered C2 Center connections. However, newly created IDs and newly created internal characteristics can (and do) bypass this method. In fact, the T9000 Trojan discussed in a prior article is a perfect example of this.
Hacker Deterrent’s Dynamic Whitelisting, on the other hand, matches applications to their manufacturers. If an application is talking to its manufacturer then the connection is allowed. Everything else remains blocked.
The above list of C2 Centers was given for a reason. Consider all of them. How many of those C2 Centers are the manufacturers of software/hardware on any of your computers? None of them are. Therefore, all of them would be blocked by this one elegant rule. That’s the power behind Hacker Deterrent’s unique method.