In this project you will develop a client and a server for covert command and control of, and data exfiltration from, an infected client [12]. You do not have to implement any actual malicious capability, but just the communication part. Any generated traffic should not stand out and should ideally look as some innocuous communication.
You should implement the following capabilities:
-
the transmission of commands to the victim (and the receipt of corresponding responses)
-
the asynchronous or periodic transmission of notifications from the victim to the attacker-controlled server
-
the transmission of (potentially) large files from/to the victim and the attacker-controlled server
Your implementation should support at least one popular OS (i.e., Linux or Windows). Support for multiple OSes or even architectures (e.g., ARM) is welcome. The server can either run on the same or a different platform, or you can even use some cloud provider or service. Your server should support communication with multiple (e.g., hundreds of) clients.
The goal of your implementation will be to prevent the easy detection of the C&C/exfiltrated traffic. You can follow any strategy you want, such as pretending that the traffic belongs to some other application (e.g., some video game or some chat application). Another approach is to hide the communication as part of existing (or fake) communication towards online services (e.g., Twitter, Facebook, blogs). In any case, the traffic should not stand out or look suspicious.
-
Rely on a popular online/cloud service to hide the server
-
Use steganography [13] to hide commands or exfiltrated data
-
Adaptive traffic rate limiting according to the legitimate traffic patterns and activity of the victim host.
[1] https://hovav.net/ucsd/dist/geometry.pdf
[2] https://edmcman.github.io/papers/usenix11.pdf
[3] http://shell-storm.org/talks/ROP_course_lecture_jonathan_salwan_2014.pdf
[4] http://shell-storm.org/project/ROPgadget/
[5] https://github.com/pakt/ropc
[6] https://angelosk.github.io/Papers/2007/polymorph.pdf
[7] http://phrack.org/issues/61/9.html
[8] https://github.com/K2/ADMMutate
[9] https://www.piotrbania.com/all/tapion/
[10] https://github.com/cryptolok/MorphAES
[11] https://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf
[12] https://azeria-labs.com/command-and-control/
[13] https://www.blackhat.com/docs/eu-15/materials/eu-15-Bureau-Hiding-In-Plain-Sight-Advances-In-Malware-Covert-Communication-Channels.pdf
http://www.capstone-engine.org/
http://www.keystone-engine.org/
http://www.unicorn-engine.org/
https://github.com/gdabah/distorm
http://www.radare.org/