How Does A Botnet Attack Work?

botnetBotnets are responsible for many of the cyber attacks we encounter these days; from DDoS and spam attacks to keylogging and click fraud. In today’s post, we take a closer look at how a botnet attack works – how it gains a foothold into each botnet slave, how each slave communicates with the C&C servers, and how the entire botnet carries out nefarious acts.


Malware infection

All botnets are networks of enslaved devices known as “bots”. That’s really where the term “botnet” comes from. And so, before a botnet comes into existence, a large number of devices must first be infected with malware that turn these devices into unwitting bots (a.k.a. zombies).

So how do these devices get infected in the first place? Well, it depends on the type of device. In the case of desktops, laptops, phones, and tablets, these devices typically get infected when the people using them either:

  1. Visit a malicious site and download malware without noticing it (a.k.a. drive-by-download) or
  2. Consciously download a file through an email or website without knowing it’s actually malware (a.k.a. a trojan).

In the case of IoT devices, they usually get compromised after attackers actively break into them. For example, the attacks that ensnared IoT devices into the Mirai botnet and Mirai-wannabes, the attackers used automated tools that scanned networks for weak passwords, broke in through brute force, and installed the malware.

Once devices become infected and become bots, they then communicate with the command and control servers or C&Cs.


Botnet C&Cs

The C&Cs are the servers that deliver commands to the bots, directing them to targets and instructing them what to do. Traditionally, botnets operate under a client-server model, wherein the bots act as the botnet clients and the C&Cs act as the servers. There can be one or more Command and Control servers in a botnet.

Having multiple C&Cs provides redundancy and enables botnets to acquire high availability capabilities. Meaning, if one C&C goes down, the botnet clients can still receive commands from the other C&Cs. Nevertheless, having multiple C&Cs doesn’t make a client-server-type botnet indestructible. Its survival still relies heavily on the C&Cs. If the C&Cs are identified and eventually brought down, the entire botnet will be no more.

This is how massive botnets like Mariposa and Bredolab were dismantled. After their C&Cs were tracked down, the end of these malicious networks became imminent.

Today, many botnets follow a different architecture. To avoid total reliance on a group of C&Cs, these botnets now use a P2P model, wherein each botnet client also functions as a C&C. This type of botnet is much harder to take down.


Botnet Communications

Most bots communicate with their C&Cs using either one of two communications protocols – IRC (Internet Relay Chat) or HTTP (HyperText Transfer Protocol). Other botnets also employ other communication methods but these two are definitely the most commonly used.

IRC communications can be easily automated (using scripts). In addition, open source IRC servers are readily available. That’s why this protocol used to be a perfect fit for botnet creation and deployment. During infection, a typical botnet malware would install an IRC client, which in turn would then communicate with the IRC server on the C&C.

The characteristics of IRC, while a boon for botnet operations, has ironically also become many a botnet’s undoing. If you really think about it, Internet Relay Chat is no longer a common method of communication (most people now use Instant Messaging applications). And so, ever since IRC became associated with botnets, the presence of IRC packets has often raised red flags. Some system admins even started blocking IRC packets in their firewalls.

It is for this reason that malware writers have started to turn to a more firewall-friendly option as their botnet communication protocol of choice. And what network protocol can be more firewall-friendly than HTTP? All websites (including popular ones like Google, Facebook, and Amazon) all communicate via HTTP. So if a botnet uses HTTP, there’s a lower chance of it getting flagged down because, unlike IRC packets, HTTP packets don’t easily stand out.

Zeus, one of the most notorious botnets ever, communicated via HTTP. In fact, several exploit kits incorporate HTTP communications into their botnet malware payloads.


Botnet attacks

One of the most common botnet attacks is the DDoS or Distributed Denial of Service attack. In this type of attack, all bots send out requests to a target server with the purpose of overwhelming it and preventing legitimate requests from getting through or processed.

Another common botnet attack – in fact, arguably the most common cyber attack that employs botnets – is sending out tons of spam. In a typical spam attack, bots send out spam emails to target email addresses with the purpose of getting click-throughs and, ultimately, generating ad revenue.

Botnets can also be used to steal information from enslaved devices. Some bot clients operate as keyloggers that record end user keystrokes. Keyloggers can, for example, record the password characters an end user enters during login and then send this information to the bot herders.

Lastly, botnets can also be used for click fraud activities. Bot clients can click on ads and trick ad networks that the clicks came from legitimate end users.


Preventing botnet attacks

Botnet malware infections can be avoided by educating end-users about the risks and best practices of downloading email attachments and visiting web sites. Of course, this countermeasure has its limitations. Most end users find security practices too tedious and time consuming, and often disregard them. Further, some threats (like drive-by-downloads) are just too difficult to avoid.

The best way would is to employ advanced malware protection solutions. These solutions typically combine advanced network behaviour analysis and real time intelligence to detect even the most stealthy malware infections.

Mirai Isn’t the Only IoT Botnet You Should Worry About

mirai-iot-botnetIoT botnets have been responsible for multiple record-breaking DDoS attacks that managed to cripple even some of the most resilient networks in the world.

So far, the largest attacks have been caused by one particular malware family – Mirai. Although the original botnet is probably on its way out, its offspring and competitors in the malware trade are on the rise.




Record breaking DDoS attacks

The Mirai’s claim to fame included massive attacks on the Krebs On Security site (620 Gbps), French web host OVH (1 Tbps), and DNS provider Dyn (1.2 Tbps). That attack on Dyn, the largest DDoS on record (for now), prevented users in Europe and North America from connecting to a large number of popular sites.

Twitter, Amazon, CNN, PayPal, Reddit, Visa, SoundCloud, and AirBnB were just some of the many high-profile sites that were affected by that single attack.

Mirai malware source code

There seemed to be a sliver of good news when a Hackforums user, whom some believed was the creator of Mirai, expressed intention of hanging up his/her cape. Going by the nickname of “Anna-senpai”, the user posted that when he/she first entered into the DDoS industry, he/she “wasn’t planning on staying in it long.”, adding that “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO”

But as it turned out, the entire announcement was really a portent of what could potentially be an even greater threat. The user continued the post saying, “So today, I have an amazing release for you…”. That release turned out to be the source code of the Mirai malware itself. The source code can now be found on Github.

So with the Mirai source code out in the open, what else could anyone expect? Naturally, it shouldn’t take long for other miscreants to develop their own versions of IoT botnet malware.

That’s probably what happened here…



Very recently, a botnet with similar characteristics as Mirai was discovered by researchers at white hat security research group Dubbed Linux/IRCTelnet, this botnet snags IoT devices by taking advantage of the default passwords hard-coded in them. These passwords are usually weak (and hence easily broken by brute force attacks) or have already been disclosed in hacking forums (some, via the Mirai botnet).

The botnet clients receive commands from malicious C&C IRC servers through the Telnet protocol. To cripple targets, the Linux/IRCTelnet can carry out Denial-of-Service mechanisms like UDP flood, TCP flood, and several other attacks through both the IPv4 or IPv6 protocols.


Another IoT botnet we should be worried about is Bashlite. While Linux/IRCTelnet is still on the rise, Bashlite is already quite well established. Apparently, this malware family has already managed to infect a million endpoint devices, the majority of which are IoT devices, and has even been used to conduct DDoS attacks-for-hire.

Like the other two IoT botnets, Bashlite also exploits default usernames and passwords. It can launch TCP and UDP floods, and can even carry out HTTP attacks.

The malicious code used by these types of malware reside in memory. So, theoretically, they can be removed by simply restarting the compromised devices. However, the volume of scans conducted by these malware are so large, that they can also as easily re-infect the restarted devices.

The use of default or non-configurable login credentials is one of the vulnerabilities we outlined in our post “IoT Vulnerabilities – What Should You Secure?”. Unless this vulnerability, which exists in a large number of IoT devices out there, is addressed, IoT botnets like Linux/IRCTelnet and Mirai will continue to exploit it.