Hackers who write malware programs are often aware of malware detection techniques and design their malware programs with such techniques in mind. One protection technique is to use a blacklist in which known malware command and control infrastructure (e.g., from which malware commands are downloaded and/or to which private information is uploaded) is recorded. A company may use a blacklist to prevent internal devices (e.g., within a company's firewall or intranet) from communicating with external devices on the blacklist.
To avoid being identified and added to the blacklist, hackers may design their malware systems so that an infected device communicates with multiple malware command and control devices at any given time. This enables a covert bi-directional communication channel to the malware command and control infrastructure such that individual communication streams do not stand out statistically from legitimate communication streams.
Another detection avoidance technique is to change the set of malware command and control devices communicated with over time. Even if some or all of the malware command and control infrastructure is detected and added to the blacklist, the blacklist will only be effective until the next change. New malware detection techniques that can assist in detecting malware systems, that can detect multiple mobile command and control operators, and/or change the set of malware command and control devices over time would be desirable.