Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How to check and analyze Command and Control (C&C) callback detection

    • Updated:
    • 18 Jun 2020
    • Product/Version:
    • Apex One 2019
    • Deep Security 10.0
    • Deep Security 11.0
    • Deep Security 12.0
    • Deep Security 12.5
    • Deep Security 9.6
    • OfficeScan 11.0
    • OfficeScan XG
    • Worry-Free Business Security Services All
    • Worry-Free Business Security Standard 10.0
    • Worry-Free Business Security Standard 9.0
    • Worry-Free Business Security Standard 9.5
    • Platform:
Summary

C&C servers are used by cybercriminals to send commands to systems compromised by malware and received stolen information from the target network. If C&C callback is detected by product, there's a possibility that the host is infected. This article will guide you on what to do in case of C&C callback detection.

Details
Public

Identify the traffic detected as C&C callback from Suspicious Connection / Network Content Inspection log.

  1. Go to OfficeScan / Apex One web console and navigate to Logs > Agents > Security Risks. Select the particular machine, group or ‘OfficeScan Server’ hierarchy then click View Logs > Suspicious Connection/Network Content Inspection logs.
  2. Set the time period to the date when the C&C detection occurred or the span that includes the actual date of the detection.
  3. Click Display Logs.
  4. Click Export All to CSV.

Below is an example of Suspicious Connection or NCIE log.

From the Suspicious Connection/NCIE log, the important fields to check are:

  • Local IP/User-defined C&C list – This is the local endpoint that has the security agent installed.
  • Remote IP – This is the remote endpoint/device that is either the source or destination of the detected traffic.
  • Result – This is the action done by the security agent on the traffic. This can be ‘Logged’ or ‘Blocked’.
  • List Source – This tells what traffic was detected.
     
    Note that the type of traffic (either request or response) helps determine where the actual malicious traffic comes from.
    If a traffic detected is a ‘response’ traffic and the direction is ‘outgoing’, then the actual malicious traffic originated from the remote IP (where the request traffic comes from).
     
  • Traffic Direction – This tells where the traffic comes from and where it is going.
     
    Incoming means that the traffic is from remote IP going to the local / user-defined IP C&C list IP.
    Outgoing means that the traffic is from the local / user-defined IP C&C list IP going to the remote IP.
     
  • C&C traffic coming from public IP going to IP that is part of your network:

    Below is an example of traffic coming from public IPs.

    Follow these steps:

    1. Check if the IP address that is part of your network should be open to the public.
    2. If it should be closed to the public, check why there is traffic coming in externally. It is possible that there is misconfiguration in the routing of traffic/packets.
    3. If it is open and provides services by acting as a Web or DNS server, then that is the reason for the detection.
      Note that anyone on the Internet can send traffic (either safe or malicious) to machines that are open to the public. Threat actors do this as part of their reconnaissance, probing the Internet for vulnerable machines that can be targeted. This can be done automatically and randomly.

Recommendations

  • Check the ‘List Source’ to find more information about the detected traffic. If the traffic is an exploit, check if the device/machine where the detection occurred is vulnerable to it.
  • If the device/machine is vulnerable to the detected exploit traffic, patch it. If it is not vulnerable, then the exploit will not be successful.
  • Deploying a Web Application Firewall (WAF) and/or Intrusion Prevention System (IPS) will help scan/filter malicious traffic before they reach machines open to public.

For more information about C&C detection, you may check this article on What to do in case of Command and Control (C&C) callback detection . You may also file a support case for further assistance and provide the Suspicious Connection or NCIE logs.

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000256626
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.