The following appeared in Samuel R. McQuade, editor, The
Encyclopedia of Cybercrime (Greenwood Press, 2008), pp. 12-14.
I wrote and spoke a lot about botnets in 2004 and 2005, including giving this presentation at Arizona State University. Others can be found at my publications web page.
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Botnets, Zombies and Remote Control Attacks
"Bot networks," or botnets, are collections of computers under the
control of a single entity, usually without the knowledge or consent
of the owners of those computers. The individual infected computers
are running software known as a "bot" (from "robot"), and the
computers themselves are often referred to as "bots" or "zombies."
Botnets are used by the controlling entity, sometimes known as a
"botherd" or "botherder," to perform some function, which may involve
distributing tasks across the individual bots (such as cracking
passwords) or having them work in concert (e.g., engaging in a denial
of service attack).
Botnets have become one of the primary tools of criminal activity
used on the Internet today, and botnet activity is driven by economic
considerations--to make money for those using them. Botnets provide a
technology infrastructure which, in conjunction with a creative
division of labor, disperses the risks faced by online criminals,
allowing them to grow their operations to a larger scale without fear
of being captured and prosecuted (Abad, 2005; Berinato, 2007).
Botnet life cycle
A system can be compromised with bot software by any mechanism used
for distributing malware, such through email that contains a
compromised attachment or entices the user into visiting a web page
that exploits vulnerabilities in a web browser, malicious code
installed on compromised popular servers, peer-to-peer delivered
content, or by a worm exploiting vulnerabilities in software that is
accessible through the network.
When a system is compromised with bot software, it will usually
perform a number of initial actions, such as download a more
up-to-date version of the software, test the bandwidth of its
connection, and "phone home" to a server to register itself with a
"botnet controller" or command and control server (C&C). It may also
install spyware or adware in order to generate advertising revenue
through an affiliate program, to the benefit of the botnet owner. If
a bandwidth test is performed and shows that the bot is installed on a
machine with a low bandwidth connection such as a telephone dialup
connection, the bot may be programmed not to connect to the botnet
A bot's connection to a botnet controller, most commonly using the
Internet Relay Chat (IRC) protocol, is used by the controller to issue
commands to the bot and receive data in response. These commands may
cause a bot to send out spam or phishing emails, disseminate worms or
viruses, spread the bot software itself, launch denial of service
attacks against websites for extortion, start services such as proxies
or remote access ability (a backdoor) on the computer, search the
computer for private information such as passwords and financial
information, intercept communications and log keystrokes to find such
information, or to cooperate in parallel computing efforts with other
bots on tasks such as cracking passwords, manipulating online polls,
or engaging in "click fraud" against online advertising programs
(Bächer, Holz, Kötter, Wicherski 2005).
The bot will continue to monitor for and execute the commands it is
given via the botnet controller until either the owner of the computer
identifies and removes the malware or the botnet controller itself is
shut down, usually by its upstream Internet Service Provider (ISP).
When a botnet controller is shut down, the bot may attempt to contact
a secondary server or be modified to do so via a backdoor connection
used by the owner of the botnet, in which case the cycle starts over
Evolution of botnets
In the early 1990s, bots were created by IRC users to provide
automated responses while they were away from their computers, attack
and defend control of IRC channels, and other tasks. By 1999, various
tools such as Trinoo, Tribal Flood Network, Stacheldraht, and Shaft
were developed to engage in distributed denial of service (DDoS)
attacks, often against IRC servers. In 2000, these DDoS tools were
merged with worms and rootkits in order to automate the rapid
compromise of systems used to launch attacks. By 2002, the IRC
control functionality of the original bots was merged with these
tools, and bots became a general purpose platform for compromising
systems, taking control of them, and using them for a variety of tasks
beyond DDoS (Dittrich, 2005; Bächer et al., 2005). The DDoS
capability became less common as bots began to be used by criminals
for economic gain (Abad, 2005; Berinato, 2007). Some botnets have
begun to use other communications mechanisms besides IRC, including
peer-to-peer protocols that eliminate dependence upon a botnet
controller at the expense of losing the ability to send commands
simultaneously to all bots (Grizzard, Sharma, Nunnery, Kang, Dagon
2007; Menezes 2007).
Botnets and the division of criminal labor
The criminal activity using botnets has been split into multiple
roles, where different individuals and groups can participate in
separate tasks. This allows both specialization in particular
activities and for the dispersal of risk. Some of the common roles
include writing the malware used to compromise systems; compromising
popular web servers and using them to deploy that malware; collecting
bots into botnets (the "botherder" role); using botnet-provided
services to distribute data (such as spam or malware), collect data
(such as financial account information and passwords), or process
information (such as password cracking); selling captured account
information; using captured account information for credit card fraud
or to create forged ATM cards; using forged ATM cards to empty bank
accounts; and laundering the proceeds of credit card fraud by
reselling purchased items.
Botnets and the division of criminal activity into these distinct
roles provide a mechanism for putting distance between the criminal
and the crime. The individuals who perform the riskiest tasks, such
as laundering the proceeds of credit card fraud or collecting cash
from ATMs with forged cards, may be recruited over the Internet and
deceived into participating by claims that they are performing a
legitimate service. Those who capture financial account information
and provide botnet services, on the other hand, need not come in
personal contact with their victims or the customers who purchase from
them (Abad, 2005; Berinato, 2007; Menezes 2007).
Defending against botnets
The main defense against botnets is proactive defense against system
compromise by keeping systems patched against vulnerabilities and
using layered defenses such as firewalls, intrusion prevention, and
antivirus software. Most bots are installed on the Windows systems of
home users rather than businesses, because home users are more likely
to have unpatched and unprotected systems.
Once a system has been compromised with a bot, it or its botnet
controller may be detected by network security monitoring by ISPs.
ISPs often shut down botnet controllers by filtering or "blackholing"
their traffic, which prevents commands from being sent to the
individual bots. They may also quarantine or shut down service for
customers who are infected with bots, as indicated by behavior such as
the generation of spam or hosting of "phishing" websites.
One of the most effective means of tracking botnets is by allowing
honeypots or systems on honeynets to become infected with malware,
then reverse engineering that malware to determine how it works, and
using client software that simulates a bot-infected system to collect
information from a botnet controller (Bächer et al., 2005;
Krebs, 2006). Some bot software tests whether it is running in a
virtualized environment and includes obfuscated and encrypted code in
order to make reverse engineering more difficult.
Criminal prosecutions of users of botnets have been relatively
rare, but the FBI's public announcement of "Operation Bot Roast" on
June 13, 2007 included the names of three individuals arrested and
charged with crimes involving botnets (Federal Bureau of
Jim Lippard is Director of Information Security Architecture &
Engineering and was previously Director of Information Security
Operations at Global Crossing, a global telecommunications provider
and tier 1 Internet backbone provider. He has written and spoken
about botnets to audiences of technology and law enforcement
professionals in the U.S. and Europe.
- Abad, C. (2005). The economy of phishing. First Monday 10(9).
Retrieved October 14, 2007 from
- Bächer, P., Holz, T., Kötter, M., Wicherski,
G. (2005) Know your
enemy: Tracking botnets. Honeynet Project paper. Retrieved October
14, 2007 from http://www.honeynet.org/papers/bots/
- Berinato, S. (2007) Inside the global hacking service economy.
CSO, September, pp. 20-32. Retrieved October 14, 2007 from
- Dittrich, D. (2005) Evolution: rise of the bots. Information Security, March, p. 30. Retrieved October 14, 2007 from http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1068914,00.html
- Federal Bureau of Investigation (2007) Over 1 million potential
victims of botnet cyber crime. Press release, June 13. Retrieved
October 14, 2007 from
- Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., and Dagon,
D. (2007) Peer-to-peer botnets: Overview and case study. HotBots '07
conference paper, April. Retrieved October 14, 2007 from
- Krebs, B. (2006) Bringing botnets out of the shadows.
Washingtonpost.com, March 21. Retrieved October 14, 2007 from
- Menezes, J. (2007) Why we're losing the botnet battle. Network
World, July 25. Retrieved October 14, 2007 from