Among the latter are the masters of the Cutwail / Pushdo botnet, one of the most long-lived ones around, and their decision must be working well for them as despite several past takedown attempts it is still going strong.
Of course, such a C&C architecture requires a set of tricks to be used so that suspicious network traffic to and from the zombie computers isn't easily detected, and Trend Micro researchers have shared some of them:
- Combining C&C communication with normal traffic - the latest variants of the malware are made to send out numerous HTTP requests, and among them are those to the C&C servers - often multiple ones, and not necessarily all for fetching the configuration file, which can ultimately lead to small DDoS attacks
- Wielding an encrypted list of 200 domains, but trying to contact only 20 randomly chosen ones at a specific time.
- Using legitimate but compromised big and small domains as C&C servers, so that sending requests to them passes under the radar.
- Using a domain generation algorithm (DGA) in order to rotate C&C servers to keep one or more steps ahead the security industry.
"Using sandboxing analysis without reverse engineering the malware and figuring its DGA may not be enough to block C&C communication, as the malware generates different domains for each day."
The days of file-signature detection are over, they say, and AV companies must use a number of alternative approaches to detection, such as sandboxes, deep analysis, reputation services, and more.