Robert Conley

An Introduction to Botnets

Blog Post created by Robert Conley Employee on Jun 9, 2017

What is a botnet?

The term botnet is derived from the words robot and network.  A bot, sometimes referred to as a zombie, is an individual device connected to an Internet Protocol (IP) network, typically the internet.  Historically, this meant desktop computers, laptops, printers, home router, etc. were vulnerable to becoming a bot.

Today however, as the Internet of Things (IoT) evolves our household devices are increasingly more often connected to the Internet.  This means that the candidate list of potential botnet devices has greatly expanded.  Included now are web cams, baby monitoring controls, and even toasters.  After a device becomes infected with botnet malware, it can be leveraged via its network connectivity to conduct a slew of unauthorized and malicious activities. 


Botnet herders are actors who control bots remotely.  They setup and deploy command and control (C&C) servers, and these serve as the interface to the bots. Coded within the botnet malware are C&C check-in IP addresses, schedules, and instructions.  Their purpose is to establish communications channels from the herders to the bots.  For example, IRC channels are frequently employed for this purpose.  After communications are setup, the compromised hosts are often times further organized and issued updated instructions.  They have now become an organized group of hosts under centralized control.  Figure 1 shows the elements of a botnet.



Figure 1



According to the Internet Society-

Botnets are a complex and continuously evolving challenge to user confidence and security on the Internet. Combating botnets requires cross-border and multidisciplinary collaboration, innovative technical approaches, and the widespread deployment of mitigation measures that respect the fundamental principles of the Internet1.


There are two types of botnets, involuntary and voluntary. A botnet that consists of willing participants is a voluntary botnet.  In this model, frequently used by hacktivists, users willingly allow their computers to become a bot. They permit a third party to not only gain remote access and full control, but also allow it to be used for any means.  Typically this involves illicit activities.


In contrast is the involuntary model.  It will be the focus of this blog post as well as any follow up posts. In it, consent is not given to use a computer's resources.  It consists of users who are unaware that their computers have been compromised. To accomplish this a threat actor must deliver malware to victims.  Exploit kits, trojans or phishing scams are commonly employed to complete this step.  If successful, the computer becomes infected which opens the door for the payload delivery, a bot executable.  If this step succeeds then a new bot has been enlisted.



Current State

Rustoc, Conficker, and Zeus are some of the best known botnets.  They infected thousands of computers worldwide from 2006-2011.  Others came before them.  Botnets have long been a going concern for internet security.  They’re frequently used for spam-marketing, phishing, password stealing, and hijacking financial data.


Most recently, botnets made headline news when major DDoS (distributed denial of service) attacks were aimed at two notable websites, krebsonsecurity.com2 in retaliation for his continuing work and to demonstrate the at-scale efficacy and impact of a the Mirai botnet.  The Dyn attack disrupted internet traffic on the U.S. East Coast for an entire business day3.  Botnets facilitated both of these attacks.  They were instructed to flood their targets with massive amounts of TCP and UDP requests, the goal being to knock them out of service.  They succeeded.


Botnets are not however invincible, and there have been numerous takedowns throughout the years.  Most recently in April 2017, the Kelihos botnet was shut down after a lengthy law enforcement process4.  Kelihos was associated with cybercriminal activities that included spam e-mail and ransomware.  In spite of such takedown efforts, hackers continue adding features and functionality to botnets.  They're motivated by financial gain and this drives them to innovate in order to stay one step ahead of law enforcement as well as detection and remediation technologies.


For example, a decentralized or peer to peer command structure is being used more frequently5.  In it each bot serves as both a C&C client and server.  This multiplies and provides redundant communication channels.  Plus, it eliminates a single point of failure.  As previously discussed, tapping into the Internet of Things (IoT) has presented an array of possible new recruits.  Many security researchers are currently monitoring port scans and brute force password attacks on many home networks that are attempting to convert benign devices into zombies6



Botnet Tracking

There exists a number of online resources designed to track and report on botnet activities. Table 1 presents a few of them, but many others exist.  Each one offers information in a slightly different format.  From them, you can learn at a glance which botnets are active, their location, statistics, and other pertinent information.             


Table 1




This article is the first in a series about botnets.  Future articles will cover individual aspects of botnets, current campaigns they support, and related malware. 



Thanks to Kevin Stear and Ray Carney for their contributions to this blog post.