Understanding How Botnets Work

August 21, 2016 | Views: 18546

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here


Botnets are computer botnets, which are programs connected to the Internet to communicate with other similar programs to perform certain tasks.

An Internet bot is an automated or semiautomatic software agent that interacts with computer servers. A bot connects and interacts with the server as a client program used by a human, hence the term “bot,” which is the contraction (apheresis) of “robot”.

They’re mainly used to perform repetitive tasks that automation enables quickly. They’re also useful when rapid action is an important criterion (for example, with robots or robots game auction, but to simulate human responses, as with IM bots).

Botnets can spread to botnets and be used for malicious purposes such as sending spam, computer viruses or computer denial of service (DDoS) – espionage and control computers.

A zombie machine is a computer or a printer IP controlled by an attacker without the knowledge of its user. The latter is most often an example of an  attack of other machines by concealing their true identity. A zombie is often plagued initially by a worm or Trojan horse.

Any machine connected to the Internet is likely to be a target to become a zombie machine. Windows machines represent the majority of infected machines, but also, to a lesser extent, Linux machines, Apple, game consoles or routers and Printers.


Primary Malicious Uses of Botnets

The main characteristic of botnets is the pooling of several different machines, sometimes very numerous, which makes the desired activity more efficient (since they have the ability to use a lot of resources). This also makes them more difficult to stop. One attacker can control hundreds of computers.

Primarily, they’re used for:

  • Relaying spam for illegal trade or handling of information (eg stock market prices)
  • Performing phishing operations
  • Identifying and infecting other machines, spreading viruses and malware
  • Participating in DDoS attacks (grouped)
  • Generating abused clicks on an advertising links on a web page (click fraud)
  • Capturing information on compromised machines (theft and resale of information)
  • Harnessing the computing power of machines or performing computing operations including distributed password cracking
  • Conducting illegal trade operations by managing the access to unauthorized product sales sites or counterfeit via fast-flux techniques (single or double-flow or RockPhish).
  • Theft of bank cards – passwords

Motivation of Pirates

  • Spam: to send more mail.
  • DDoS: send more attacks on a server to do stop working.
  • Bruteforcing: find a password quickly
  • Infection: of machines (viruses, worms, Trojans …)



Once installed, this software base may declare the machine to a control center, which will consider it and then active. This is a key concept of the botnet: the infected machine can now be controlled remotely by one (or more) third machine. In some cases, other phases are required (self-protection, update, etc.) to enter the operational phase.


Once the infected machine and activation is carried out, the botnet can update, change themselves, add features, etc. This has significant impact on the danger of the botnet, and the ability of control tools to stop it because a botnet may modify its virus signature and other features that can cause it to be discovered and identified.


Initially, or after an update phase, the botnet will seek to provide the means to continue its action and the means of concealment. This may involve:

  • Installing rootkits
  • Changing the system (changing the network filtering rules, disabling security tools, etc.)
  • Auto-change (to change his signature)
  • Deleting other malware that can disrupt the botnet
  • Operating fault of the host system, etc.


The size of a botnet is both a guarantee of efficiency and added value for sponsors and users of the botnet. Therefore, it’s common after installation, that the zombie machine will seek to extend the botnet by viral spread, often in a spam campaign (web links, malware in an attachment, etc.)

By Scan

  • To exploit vulnerabilities that it will recognize;
  • To use known or previously installed backdoors;
  • To make brute force attacks, etc.

Once installed, the zombie machine can obey orders given to it to accomplish the desired actions by the attacker.


By Antr4ck (Hoping to help you learn.)

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. You guys are really doing a great job, thank you for taking your time to explain. My biggest thanks goes to the master planner of cybrary it.

  2. I tried creating a botnet using UFONET, Just wondering if there’s any other way

Page 6 of 6« First...«23456
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?