Don't Connect Back - Beaconing Malware
#1
Welcome bois and girls to what is in essence a little word of advice. I'm no expert on coding malware and I don't even consider myself a hardcore programmer. What I do know the most about (which is not much relative to some people) is networks and network security. So with these things in mind, I'm going to talk about a malware concept called beaconing. If you think about it for a minute you might guess what this means. So let's get to the meat of it.

  To understand beaconing, you have to understand how malware communicates with its' master. In the old days, malware would start listening on a victim machine's port much like a web server or email server. The malware owner would connect to this service and do whatever they wanted. This isn't used as much today with NAT being commonplace, halfway decent firewalls preventing incoming connections, and the fact that it's easy to see if a new service pops up on your box. So hackers being hackers, they adapted and started having malware connect back to them instead. It's fairly rare for a box to have any kind of egress filtering that will be good enough to prevent a connection back to a C&C server. It can be done of course, but that's typical for highly secure places like critical infrastructure of governments and companies. So this is the default today. Connect back malware. So that was a boring history of malware. Why does it matter?
  Let's look at an example of connect back malware.
Code:
C&C          Victim

 __            __
|  | <------- |##|
----          ----

This is all fine, but there's at least one critical issue. The connection can be seen by a wily sysadmin or user and they could potentially determine it's malicious. Connections can be seen via netstat and other utilities, because the C&C and malware are maintaining a connection all the time. They may not realize it's bad of course, but we don't want to take that chance. The answer is beaconing. Beaconing is when the malware connects back to its' C&C periodically to get instructions. Powershell Empire is a good example that you can google and read about. Go check out its' source code too. The chances of your malware's communications getting spotted are a lot less. The sysadmin or user would have to be watching at the exact time that the malware was calling back or see the tiny amount of traffic in logs of some form. This may not be a big issue if you're putting malware on your mom's laptop, but in corporate environments or governments this can mean the difference between getting caught or not. Companies will have firewalls, IDS, IPS, EDR, etc. If you have a ton of traffic generated by that constant connection, you're more likely to get seen. Beaconing is very hard to pick out of the massive amount of traffic flowing over the wire in big networks. Especially if the traffic is well disguised to look just like all the other traffic.
  Hope you enjoyed this thread. It was kind of short and a basic concept, but it'll help you if you're new. Peace out Wink
Reply


Messages In This Thread
Don't Connect Back - Beaconing Malware - by deviant - 02-08-2021, 06:00 PM

Possibly Related Threads…
Thread Author Replies Views Last Post
  The Malware Mega Thread. Vector 70 159,932 09-21-2021, 02:31 AM
Last Post: Vector
  I am interested in making malware... shmoeke 9 5,904 09-06-2021, 01:40 PM
Last Post: Vector
  I want to be a Malware Developer. TheCodeGirl 3 2,938 09-06-2021, 12:45 AM
Last Post: neftis
  experimental malware neftis 0 2,683 08-22-2021, 08:26 PM
Last Post: neftis