CnCHunter: An MITM-Approach to Identify Live CnC Servers

The presentation discusses the use of CNC Hunter, an automated tool for discovering Command and Control (CNC) servers in IoT malware. The tool uses man-in-the-middle functionality to redirect traffic to candidate addresses and analyze the traffic generated by the malware to find live CNC servers.

• CNC Hunter is an automated tool for discovering CNC servers in IoT malware
• The tool uses man-in-the-middle functionality to redirect traffic to candidate addresses and analyze the traffic generated by the malware to find live CNC servers
• The tool was evaluated on a set of 100 samples and achieved a precision of 92%
• CNC Hunter is fully automated and open source
• The presentation includes two demos, one for finding the CNC server of a sample and one for using old samples to find live CNC servers

The presenter demonstrated the use of CNC Hunter to find a live CNC server using a four-year-old gasket sample. The malware would not have communicated with a live CNC server, but by using man-in-the-middle functionality, the tool was able to successfully redirect traffic to a candidate address and find a live CNC server. This demonstrates the effectiveness of the tool in discovering live CNC servers that may be hidden from analysis.

How can we identify active CnC servers? Answering this question is critical for containing and combating botnets. Finding CnC servers is not trivial because: CnC servers can change locations expressly to avoid detection, use proprietary communication protocols, and often use end-to-end encryption. Most prior efforts first "learn" a malware communication protocol, and then, scan the Internet in search of live CnC servers. Although useful, this approach will not work with sophisticated malware that may use encryption or communication protocol that is hard to reverse engineer.In this session, we propose CnCHunter, a systematic tool that discovers live CnC servers efficiently. The novelty of our approach is that it uses real "activated" malware to search for live CnC servers, with CnCHunter acting as a Man-In-The-Middle. As a result, our approach overcomes the limitations of prior efforts. For example, the malware binary knows how to communicate with its server even if in the presence of encryption. We randomly selected 50 IoT malware samples collected between 2017 and 2021, and found their CnC servers. CnCHunter could automatically activate 96% of the malware and dynamically find the CnC servers.Additionally, we demonstrate the potential of our system by activating an old Gafgyt malware sample and enabling it to communicate with a live CnC server for a recent sample of the same family. This proves that an old malware binary of a family can be used to scan the Internet and find live Cnc servers for that malware family.