blog posts

Everything About BOTNET

BOTNET Typically Take Control Of Several Computers Around The World And Install Malware, Spyware, Spam, And More On These Devices. But How Do BOTNETs Work? Who Controls Them And How Can We Prevent It?

Bunters typically take control of many computers around the world and install malware, spyware, spam, and more on these devices. But how do batons work? Who controls them and how can we prevent it?

What is your BOTNET?

A botnet is a set of Internet-connected devices that may include computers, servers, mobile phones, and the Internet of Things that are infected with and controlled by some form of malware. Users usually do not know that their system is infected with a botnet.

Devices on which some malware is installed are controlled by cybercriminals. This malware hides its malicious activities so that the user does not notice them. For example, you may spam thousands of people on your tablet without knowing it.

Devices infected with botnet are commonly referred to as “zombies”.


What does Button do?

Depending on who runs it, a botnet can have many different functions.

1- Spam: Sending a lot of spam to all over the world. For example, the rate of spam sent via email last year was 56.69%. The number of spammers worldwide has dropped by about 50 percent since FireEye disabled the Srizbi botnet.

2- Malware: Sending malware and spyware to weak devices.

3- Data: Recording passwords and other personal information.

4. Fake clicks: An infected device crawls websites to increase web traffic in a fake way.

Bitcoin: Those who control the botnet using infected devices to steal bitcoins and other Internet credits.

6- DDoS: Those who control the botnet take control of the infected device and turn them offline when attacked.

Button operators often exploit these methods for malicious work.


What does your BOTNET look like?

We know that botnet is a network of infected computers. However, the central components and the architecture of BOTNET are very interesting.


Client-Server Model: A client-server botnet typically uses a chat client (previously using IRC but modern botnets use Telegram and other encrypted messaging services) to connect to a domain or website. The operator sends a message to the server that executes the command. While the structure of botnets is very different, it can disable client-server botnets with effort.

Peer-to-peer: A peer-to-peer (P2P) botnet attempts to disable security programs and research programs that identify specific C2 servers by building a decentralized network. A peer-to-peer network is more advanced than the client-server model. Instead of a network of connected infected devices communicating with each other via IP addresses, operators prefer to use zombie devices connected to the node. As a result, there are many connected devices and different nodes, and the network is not traceable.


Command and control

Command and control protocols (C&C or C2) appear in different masks:

Telnet: Telnet botnet is relatively simple and uses scripts to scan IPs to enter the telnet server and SSH to add weak devices.

IRC: IRC networks provide a very low bandwidth communication method for the C2 protocol. The ability to quickly change channels provides more security for botnet operators but makes it easier for infected clients to leave the botnet if they do not receive the updated channel information. IRC traffic tracking is very simple so many hackers do not use this method.

Domains: Some large botnets use domains instead of messenger clients. Infected devices have access to a specific domain that executes a list of control commands. The disadvantage of this method is the very high bandwidth requirement for large botnets, which makes them detectable very quickly.

P2P: A P2P protocol usually implements digital signatures using asymmetric encoding. As a result, while the operator is holding the key, the other person is almost unable to execute other commands on the botnet. As a result, removing a P2P botnet is very difficult due to the lack of a dedicated C2 server.

Others: Over the past year, we have seen botnet operators use very interesting command and control channels. For example, social networking channels such as the Android Twitoor botnet, which are controlled via Twitter. Instagram is also not very secure. In 2017, for example, a Russian cyber-spy group used the following comments from Britney Spears’ Instagram photos to store the location of a C2 malware distribution server.



At the end of the string is a botnet of the infected device.

Button operators infect weak devices to make their network larger. Interestingly, some botnet operators do not have a good relationship with each other and use infected devices against each other.

Most of the time, zombie device owners are unaware of the existence of botnets. Sometimes botnet malware also controls other malware.


Types of devices

Internet-connected devices are becoming more and more popular, and botnets do not only target Windows and Mac devices. IoT devices are also not safe. Smartphones and tablets are also not secure. In the last few years, Android devices have been involved in botnet many times. Android is a very simple target because it is open source, has different versions of the operating system, and is very weak. Of course, Apple devices have been infected with botnet several times. Another target of botnets is weak routers. Routers with outdated and insecure hardware are easily attacked.


Destroy your baton

Getting rid of BOTNET is not an easy task. Sometimes the botnet architecture is such that the operator can easily rebuild it. Sometimes the baton is too big. Eliminating batons often requires collaboration between security researchers, state-owned companies, and other hackers, who sometimes require backdoor techniques.

GameOver Zeus

One of the biggest examples was the destruction of the GameOver Zeus botnet. GOZ was one of the largest botnets in the past few years, infecting nearly one million devices. The main purpose of this theft botnet was to send spam emails that came from a unique domain that the algorithm generated and there did not seem to be a way to get rid of it.

The domain generation algorithm helps the botnet to create a long list of domains to use as hotspots for the botnet malware. Too many meeting points make it almost impossible to prevent it from expanding, and only operators know the list of domains.

GameOver Zeus –

In 2014, a team of security researchers working with the FBI and other international organizations was able to destroy GameOver Zeus. Of course, this was by no means easy. After observing the domain registrations, this group registered 150,000 domains in six months. This caused no more domains to be registered. 

Many ISPs then relinquished control of the GOZ proxy nodes used by botnet operators to communicate between command and control servers. 

The owner of the bot, Eugene Bogucci, found out after an hour that his button was gone and spent about four to five hours trying to restore it. 

The researchers then sent free coding tools to the victims. 


The IoT botnet is different

In 2016, Mirai was the largest and worst detective detected. Before eliminating it, IoT-based botnet targeted many computers with DDoS attacks. The figure below shows the number of countries targeted by Mirai. 

IoT botnet is different –


While Mirai was not the largest botnet in the world, it carried out the largest attacks. This botnet used 62 default IoT device passwords. 

Most IoT devices are usually online in one place and always have network resources to share, says security researcher Markus Hutchins. With the proliferation of low-security IoT devices, the number of infected devices is increasing. 


Keep yourself safe

We learned a lot from the Bentons. But how do we take care of our devices? First of all, update your system. Regular updates fill in the weaknesses of your operating system. 

Second, download and install antivirus and anti-malware software. There are so many good options available to you. 

Third, be careful when browsing the web. For example, you can use the uBlock Origin plugin.