What is Botnet and How does it works?


Hello everyone! In this article we are going to learn about what is botnet and how does it works. You may have heard about peoples saying that they DDoS’ed their target/victims with their botnet and took them down. However, In this article we are going to show you how do they execute attack over botnet.

What is Botnet?

Before we start in our own words, Let’s see what our beloved Wikipedia described about botnet.

A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allow the attacker access to the device and its connection.

So let’s start. As mentioned above, Botnet is a network of “hacked” computers/servers that are used to execute Distributed Denial of Server(DDoS attack), steal data, send spam mails/viruses and etc. Botnet is controlled by a single individual who have access to all of his bots that have been under controlled by the virus the victim have downloaded. When a Internet user are being baited to download hack tools like “COC Hack tool latest 2017″,”Facebook Hack tool 100% working for all Windows.”, and etc, all those hack tools are fake and 75% of files are infected by viruses which helps the attacker to gain access to your PC without the permission of the user.

The graphic below explains 3 types of baiting done by the attacker to infect PC(s).

If your computer is part of a botnet, it’s infected with a type of malware. The bot contacts a remote server — or just gets into contact with other nearby bots — and waits for instructions from whoever is controlling the botnet. This allows an attacker to control a large number of computers for malicious purposes.

Computers in a botnet may also be infected with other types of malware, like keyloggers that record your financial information and send it to a remote server. What makes a computer part of a botnet is that it’s being controlled remotely along with many other computers. The botnet’s creators can decide what to do with the botnet later, direct the bots to download additional types of malware, and even have the bots act together.

You might become infected with a bot in the same way you’d become infected with any other piece of malware — for example, by running out-of-date software, using the extremely insecure Java browser plug-in, or downloading and running pirated software.


Botnet C&Cs

The C&Cs are the servers that deliver commands to the bots, directing them to targets and instructing them what to do. Traditionally, botnets operate under a client-server model, wherein the bots act as the botnet clients and the C&Cs act as the servers. There can be one or more Command and Control servers in a botnet.

Having multiple C&Cs provides redundancy and enables botnets to acquire high availability capabilities. Meaning, if one C&C goes down, the botnet clients can still receive commands from the other C&Cs. Nevertheless, having multiple C&Cs doesn’t make a client-server-type botnet indestructible. Its survival still relies heavily on the C&Cs. If the C&Cs are identified and eventually brought down, the entire botnet will be no more.

This is how massive botnets like Mariposa and Bredolab were dismantled. After their C&Cs were tracked down, the end of these malicious networks became imminent.

Today, many botnets follow a different architecture. To avoid total reliance on a group of C&Cs, these botnets now use a P2P model, wherein each botnet client also functions as a C&C. This type of botnet is much harder to take down.

Botnet Communications

Most bots communicate with their C&Cs using mostly these three communications protocols – Telnet, IRC (Internet Relay Chat) or HTTP (HyperText Transfer Protocol). Other botnets also employ other communication methods but these two are definitely the most commonly used.

IRC communications can be easily automated (using scripts). In addition, open source IRC servers are readily available. That’s why this protocol used to be a perfect fit for botnet creation and deployment. During infection, a typical botnet malware would install an IRC client, which in turn would then communicate with the IRC server on the C&C.

The characteristics of IRC, while a boon for botnet operations, has ironically also become many a botnet’s undoing. If you really think about it, Internet Relay Chat is no longer a common method of communication (most people now use Instant Messaging applications). And so, ever since IRC became associated with botnets, the presence of IRC packets has often raised red flags. Some system admins even started blocking IRC packets in their firewalls.

It is for this reason that malware writers have started to turn to a more firewall-friendly option as their botnet communication protocol of choice. And what network protocol can be more firewall-friendly than HTTP? All websites (including popular ones like Google, Facebook, and Amazon) all communicate via HTTP. So if a botnet uses HTTP, there’s a lower chance of it getting flagged down because, unlike IRC packets, HTTP packets don’t easily stand out.

Zeus, one of the most notorious botnets ever, communicated via HTTP. In fact, several exploit kits incorporate HTTP communications into their botnet malware payloads.

Botnet attacks

One of the most common botnet attacks is the DDoS or Distributed Denial of Service attack. In this type of attack, all bots send out requests to a target server with the purpose of overwhelming it and preventing legitimate requests from getting through or processed.

Another common botnet attack – in fact, arguably the most common cyber attack that employs botnets – is sending out tons of spam. In a typical spam attack, bots send out spam emails to target email addresses with the purpose of getting click-throughs and, ultimately, generating ad revenue.

Botnets can also be used to steal information from enslaved devices. Some bot clients operate as keyloggers that record end user keystrokes. Keyloggers can, for example, record the password characters an end user enters during login and then send this information to the bot herders.

Lastly, botnets can also be used for click fraud activities. Bot clients can click on ads and trick ad networks that the clicks came from legitimate end users.

Preventing botnet attacks

Botnet malware infections can be avoided by educating end-users about the risks and best practices of downloading email attachments and visiting web sites. Of course, this countermeasure has its limitations. Most end users find security practices too tedious and time consuming, and often disregard them. Further, some threats (like drive-by-downloads) are just too difficult to avoid.

The best way would is to employ advanced malware protection solutions. These solutions typically combine advanced network behaviour analysis and real time intelligence to detect even the most stealthy malware infections.

That’s all for now.

Also Read: Difference between DoS and DDoS.


  1. […] Denial of services occurs when a targeted computer/server is flooded with malicious traffic until the resources are exhausted and the system goes offline. Distributed Denial of Services are much similar with Denial Of Services but the difference is the DDoS i.e Distributed Denial of Service the attack is amplified by enlisting other machines/servers in the attack to take down the target. Most of large-scale attacks depends on botnets. […]


Please enter your comment!
Please enter your name here