Detecting Malware's Failover C&C Strategies with SQUEEZE


Matthias Neugschwandtner, Paolo Milani Comparetti, Christian Platzer


Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), December 2011


The ability to remote-control infected PCs is a fundamental component of modern malware campaigns. At the same time, the command and control (C&C) infrastructure that provides this capability is an attractive target for mitigation. In recent years, more or less successful takedown operations have been conducted against botnets employing both client-server and peer-to-peer C&C architectures. To improve their robustness against such disruptions of their illegal business, botnet operators routinely deploy redundant C&C infrastructure and implement failover C&C strategies. In this paper, we propose techniques based on multi-path exploration to discover how malware behaves when faced with the simulated take-down of some of the network endpoints it communicates with. We implement these techniques in a tool called SQUEEZE, and show that it allows us to detect backup C&C servers, increasing the coverage of an automatically generated C&C blacklist by 19.7%, and can trigger domain generation algorithms that malware implements for disaster-recovery.


  title     = {{Detecting Malware's Failover C\&C Strategies with SQUEEZE}},
  author    = {Neugschwandtner, Matthias and Milani Comparetti, Paolo and Platzer, Christian},
  booktitle = {Proceedings of the 27th Annual Computer Security Applications Conference},
  series    = {ACSAC},
  month     = {December},
  year      = {2011}