The Botnet Business
by Vitaly Kamluk - Kaspersky Lab - Wednesday, 28 May 2008.
Proxy: use the computer as a proxy server. This function is often included in a bot's core functionality rather than being implemented as a separate command. This feature makes it possible to use any computer which is part of a botnet as a proxy server in order to conceal the real address of the cybercriminal controlling the botnet.

Other commands, which are not as popular as those described above, are only implemented in some bots. These additional commands include making screenshots, logging keystrokes, requesting the user's network activity log file (used for stealing accounts and confidential data), sending this file from the user's computer, identifying serial numbers for the software installed on the user's computer, obtaining detailed information about the user's system and network environment, requesting a list of computers included in the botnet, etc.

Types of botnet

Today's botnet classification is relatively simple, and uses botnet architecture the protocols used to control bots as a basis.

Classification of botnets according to architecture

There are currently only two known types of botnet architecture.

1. Centralized botnets. In this type of botnet, all computers are connected to a single command-and-control center or C&C. The C&C waits for new bots to connect, registers them in its database, tracks their status and sends them commands selected by the botnet owner from a list of bot commands. All zombie computers in the botnet are visible to the C&C. The zombie network owner needs access to the command and control center to be able to manage a centralized botnet. Centralized botnets are the most widespread type of zombie network. Such botnets are easier to create, easier to manage and they respond to commands faster. However, it is also easier to combat centralized botnets, since the entire zombie network is neutralized if the C&C is put out of commission.

2. Decentralized or P2P botnets. In a decentralized botnet, bots connect to several infected machines on a bot network rather than to a command and control center. Commands are transferred from bot to bot: each bot has a list of several 'neighbors', and any command received by a bot from one of its neighbors will be sent on to the others, further distributing it across the zombie network. In this case, a cybercriminal needs to have access to at least one computer on the zombie network to be able to control the entire botnet. In practice, building decentralized botnets is not an easy task, since each newly infected computer needs to be provided with a list of bots to which it will connect on the zombie network. It is much easier to direct a bot to a central server first, where it will receive a list of 'neighbor' bots, and only then switch it to P2P connections. This mixed topology is also categorized as P2P, although at a certain stage the bots will use a C&C. Combating decentralized botnets is a much more difficult task than that of combating centralized networks as an active P2P botnet has no control center.

Classification of botnets according to network protocols

For a botnet owner to be able to send commands to a bot, it is essential that a network connection be established between the zombie machine and the computer transmitting commands to it. All network connections are based on protocols that define rules for the interaction between computers on the network. Therefore, botnets can be classified based on the network protocols used. Botnets can be divided into the following classes when classified according to network protocols:


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th