Anatomy of a Botnet

By Matthew Hines  |  Posted 2008-09-15 Print this article Print

Sometimes pictures help... a lot.

Most of you who follow this blog are likely very familiar with the concept of botnets, but, as with the study of human anatomy, sometimes it's helpful to review what these things actually look like from a schematic point of view.

Within that context, it might be worth your while to take a peek at the explanation and visual cues offered up by BitDefender/Malware City researcher Bogdan Botezatu over at the MC research portal earlier today, which, while somewhat rudimentary, do help retain the eyes and mind regarding the manner in which these persistent zombie networks spread and thrive.

Perhaps even more importantly, the appropriately named Bot-ezatu, reminds us that -- at least with traditional botnet architecture, versus the emerging hydraflux botnet iterations -- reclaiming a few critical machines from a botnet herder's control can have a devastating effect on their schemes.

"Once the communication is interrupted, the computer is out of the reach of the botnet. Many times, something goes wrong with an important computer that is part of the botnet, and the botmaster risks losing the entire structure for a single station," he writes. "That is why botmasters have been intensely researched on different network architectures to protect their network even when a significant part of it has been taken offline."

Of course, that's why fast-flux botnets and the aforementioned emerging hydraflux models are taking off as they offer botmasters the ability to hide and failsafe their networks so that when one command and control center is taken offline, another can simply take over.

And, Botezatu also highlights the emergence of another model that researchers believe may appear, but which has not yet been discovered in the wild, the "random" controlled botnet.

While fast-flux botnets, which have been around for several years now, employ a multitude of DNS servers to hide a key host or to create a highly-available control network in a virtual shell game, and the emerging hydraflux botnets employ multiple command centers so that when one goes down another simply takes its place, the concept of random botnets is fairly nascent.

"The random model of command and control is not yet used, and it exists only in theory," writes Botezatu. "In order to launch new attacks, botmasters scan the computers connected to the Internet in order to determine the currently active workstations. Shortly put, the infected hosts never attempt to connect other computers or central servers, as they merely listen to the traffic and wait for the proper commands from the botmaster."

But, the concept still has its question marks in terms of viability.

"This approach would force a botmaster to scan huge IP ranges on the Internet, as there would be no list with the existing and active bots," the researcher says. "Although there are visible advantages in using random architectures (such as complete stealth thanks to the minimal network traffic during the rallying process), the disadvantages simply make the approach unpractical, because of the latency and scalability issues. Scanning, finding and instructing individual bots is a painstaking process, especially because bots located behind NAT routers and firewalls could never be contacted."

Botezatu also highlights the emergence of IM-based botnets, which "differ from IRC-based networks as they use communication channels provided by IM services such as AOL, MSN, ICQ and Yahoo."

But, as the researcher points out, "IM-based botnets are less appealing to botmasters because it is difficult to create individual IM accounts for each and every bot on the network."

So that's what's old and what's new in the world of the bots.

What hasn't changed is that botnets in general show no signs of slowing down.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel