1Botnet Command and Control
This shows one of the simplest spreading mechanisms bots use: raw executable code included in a simple field (in this case, the topic of a channel). Once connected, the victims computer would then download this code and run it.
2Botnet Command and Control – Welcome Message
This is an example of the welcome message from a live botnet IRC session. This is what a victim machine would see — lots of cryptic data (potentially code), an IRC connect message, and the nickname of the victims computer, shown here as GBR|SP2|XP|#
3Botnet Command and Control – Rogue Hosts
This screenshot shows what it actually looks like when you log in to a suspicious channel with rogue hosts. Included is your cryptic controller bot (@x) and you. In this case, the IRC channel is a ghost town, likely moved on to another location, but l
4Botnet Command and Control – Bots in Action
This is a sample of what these bots do once they get onto the host machine. This is pulled from a live site (hostname and get tags removed) with referrer URLs from many, many unique IPs (also removed to preserve victim identity). In this sample, you c
5Botnet Command and Control – Shellcode Execution
This is a snippet of attempted shellcode execution against cmd.exe.
6Botnet Command and Control – Exploit Attempt
This shows an NTLMSSP (NT Lan Manager Secure Service Provider) exploit attempt.
7Botnet Command and Control – Eavesdropping
Eavesdroppers listening in on botnet command-and-control communications can see thousands of connected bots waiting for instructions from a bot herder.
8Botnet Command and Control – Eric Sites
Eric Sites, vice president of research and development of Sunbelt Software conducts a live demo of communications with a botnet command and control.
9Botnet Command and Control – Patrick Jordan
Veteran anti-spyware researcher Patrick Jordan has found a clear connection between the botnet scourge and the upsurge in adware installations.