Home » Alerts » How Does a Botnet Attack Work?

Botnets are responsible for most of the cyber attacks encountering today. It responsible for executing cyber attacks including keylogging attempts, click fraud, DDoS and spam attacks. This article includes the information how a botnet attack works and gets a foothold into each botnet slave and how each botnet slave interact with the C&C servers, and how the complete botnet carries out impious acts.


Malware infection

Botnet is a network of infected computers that have malicious software and all the devices of network controlled by the malicious code known as bots. That’s really the term botnet has really come from. And so, this will be used if a large number of devices will be infected with malware and all of them will be internet-connected and will be communicating with each similar device to spread the infection and turning other devices into unwitting bots.

How you get maleware infection in the first place?

Many of the users don’t know how they get malware infection in the first place.  The way you get the infection depends on the type of device one use and what are one’s browsing habits. Most of the desktops, laptops, phones, and tablets devices typically get infections when you use them either:

  1. Explore a malicious site and download malware ignorantly (a.k.a. drive-by-download) or
  2. Download a file through website or an email without knowing that it’s actually malware (a.k.a. a trojan).

IoT devices get malware infection and usually get compromised once cyber criminals and hackers actively break into them. The attackers used automated tools to scan networks which have weak passwords, broke in through brute force attacks to ensnare IoT devices into the Mirai botnet and Mirai-wannabes and install the malware. Once attackers successfully infect a device and it becomes bots, attackers communicate with it using command and control servers or C&Cs to viral the infection to the other devices of the network.

Botnet C&Cs

The C&Cs are the servers that give commands to the bots, directing them to targets and instruct bots what to do. Traditionally, botnets work under a client-server model, wherein the C&Cs act as the servers and the bots act as the botnet clients. There is a possibility of having one or more Command and Control servers in a botnet.

Having multiple C&Cs brings more redundancy and enables botnets to obtain high availability capabilities. It means that the botnet clients can still receive commands from the other C&Cs if one C&C goes down. Moreover, having multiple C&Cs will not make a client-server-type botnet indestructible. Botnet survival relies on the C&Cs and the entire botnet will be no more if the C&Cs are identified and eventually brought down. This is the way how botnets gets in. To dismantle any malware, you need to track down their C&Cs.

Today, many botnets have a different architecture and to avoid total dependence on a group of C&Cs, now botnets use a P2P model, where every botnet client also works as a C&C. The botnet that use this type of architecture is very hard to track down.

Botnet Communications

To communicate with their C&Cs, most bots use either one of two communications protocols –HTTP (HyperText Transfer Protocol) or IRC (Internet Relay Chat). These two are the most commonly used protocols whereas other botnets may also use other communication methods.

Open source IRC servers are readily available and using scripts, IRC communications can be easily automated. This is the reason why this protocol is a perfect fit for botnet creation and deployment. A typical botnet malware would install an IRC client while your device will be getting infected, which in turn will then interact with the IRC server on the C&C. The characteristics of IRC are a blessing for botnet operations.

Ironically, it also has become many a botnet’s undoing as Internet Relay Chat is not a common method of communication any longer and most of the people are using Instant Messaging applications. Ever since, it has been noticed that IRC is associated with botnets, IRC packets presence has often raised red flags. Even a few system admins started blocking IRC packets in their firewalls. So now for the botnet communication protocol of choice, malware writers have started using more firewall-friendly option.

Can any network protocol can be more firewall-friendly than HTTP? Most of the popular websites communicate via HTTP and if a botnet uses HTTP, chances of getting flagged down are low because, unlike IRC packets, HTTP packets don’t easily stand out.

Botnet attacks

DDoS or Distributed Denial of Service attack is one of the most common botnet attacks. To overwhelm a target server and to prevent the server from getting through or processing legitimate requests, all bots send out requests to a target server and leave the infection using this method of attack.

Sending out tons of spam is another one of the most common cyber attack that employs botnets. In a typical spam attack, bots send out spam emails and messages to target email addresses and contact with the intention of getting click-throughs and generating ad revenue.

Botnets are also responsible for stealing information from enslaved devices and some of bot clients function as keyloggers for recording the keystrokes of end user to get to know the login details and confidential information. Botnets may be used for clicking on fraud contents and links.

How to prevent botnet attacks

The first step that one can follow to prevent botnet malware infections is by educating end-users about what is the best practice to access any information on the web, which type of links and emails they need to avoid or not to click on, which type of risk an online place has, etc.  Of course, there is some limitation of this countermeasure; moreover, most of the end users often disregard security practices as they find them too tedious and time consuming. Further, some threats such as drive-by-downloads are too difficult to avoid.

The best way to avoid such attacks and risks is employ an advanced malware and virus protection solutions like Norton Antivirus. This may prove the best practice for you as such solutions typically combine advanced network behavior analysis and real time intelligence for figuring out even the stealthiest malware infections.