Botnet Command and Control

This shows one of the simplest spreading mechanisms bots use: raw executable code included in a simple field (in this case, the topic of a channel). Once connected, the victims computer would then download this code and run it.

This is an example of the welcome message from a live botnet IRC session. This is what a victim machine would see — lots of cryptic data (potentially code), an IRC connect message, and the nickname of the victims computer, shown here as GBR|SP2|XP|#

This screenshot shows what it actually looks like when you log in to a suspicious channel with rogue hosts. Included is your cryptic controller bot (@x) and you. In this case, the IRC channel is a ghost town, likely moved on to another location, but l

This is a sample of what these bots do once they get onto the host machine. This is pulled from a live site (hostname and get tags removed) with referrer URLs from many, many unique IPs (also removed to preserve victim identity). In this sample, you c

This is a snippet of attempted shellcode execution against cmd.exe.

This shows an NTLMSSP (NT Lan Manager Secure Service Provider) exploit attempt.

Eavesdroppers listening in on botnet command-and-control communications can see thousands of connected bots waiting for instructions from a bot herder.

Eric Sites, vice president of research and development of Sunbelt Software conducts a live demo of communications with a botnet command and control.

Veteran anti-spyware researcher Patrick Jordan has found a clear connection between the botnet scourge and the upsurge in adware installations.