Command & Control

A controlled lab study of command-and-control behavior in Rust, with two binaries (commander and victim) communicating over a custom covert channel, built to understand how malicious software evades detection and how defenders can identify it.

The core stealth mechanism is a covert UDP channel where all data is encoded into IPv4/UDP header fields: the IP ID (16-bit data), IP TOS (session cookie), IP TTL (packet type), and UDP source port (sequence number). The UDP payload carries only a fixed 41-byte DNS stub that looks like a valid A-query for connectivity.ubuntu.com. To a passive observer or firewall, every packet resembles routine DNS traffic with no anomalous payload. The channel implements a full reliability layer: each data chunk is ACKed, out-of-order packets are buffered, and FIN/FIN-ACK handshakes handle clean teardown.

On the victim side, the process disguises itself by enumerating /proc to collect the names of real running processes, then uses prctl to rename its own thread, writes directly to /proc/self/comm to rename the main thread as ps sees it, and overwrites the argv region in /proc/self/mem so ps aux and /proc/<pid>/cmdline both show the spoofed name. The commander supports a full remote control surface: file transfer in both directions, remote program execution, keylogger start/stop with log retrieval, recursive file and directory watching, and remote uninstall.

Highlights

• Built a covert channel that encodes all data in IP/UDP header fields with a DNS-query payload stub, with no covert bytes in the packet body.
• Implemented process identity spoofing across three surfaces (prctl, /proc/self/comm, /proc/self/mem argv region) so both ps and /proc show a believable system process name.
• Delivered a full C2 command surface: bidirectional file transfer, remote exec, keylogger, inotify-based file/directory watcher, and clean remote uninstall.
• Structured as a Cargo workspace with release builds using strip, lto, and opt-level = "s" to minimize the on-disk binary footprint.