Botnets have been around for a very long time, since the late 90s. Sub7 and Pretty Park were among the first malware that had ways of connecting the victim’s computer to an IRC channel so as to be able to listen for malicious commands. Botnets are being used for different reason from making money from ads to DDoS attacks for hire to cryptocurrency mining, the only limitation is the hacker’s imagination. Much is said about them, but very rarely are their inner workings explained, so let us take a look at how these things are created and used in the wild.

The inner workings of a botnet

First let us explain what a botnet is, a botnet can be described as a collection of devices that are connected to the internet, these can include computers, smartphones, and even IoT (Internet of Things) devices that were infected with malware and can be controlled by the creator of the malware.

First the attacker also called Botmaster or bot herder either buys or creates the malware that will be used to control the devices. The complexity of the malware is limited only by the amount of money the attacker has to either buy “High Quality” malware, or by his skills to create one. The objective of the malware is to scan devices that have known vulnerabilities that haven’t been patched.

Once the amount of infected devices is considerable enough, the Botmaster then starts to communicate with the infected devices. There are several ways this is done. Some used Telnet other an IRC channel and the more recent ones started to use P2P to handle the relay of commands. The most common way of communicating is through the Client/Server approach, this basically involved the attacker to set up a server that would be used as the C&C (command-and-control) then all commands would be sent to the server then relayed to infected devices. Using an IRC channel was the preferred method because of its simplicity.

This method worked for many years but as Cybersecurity firms began to understand how they operated they saw its flaw, because it was centralized all that was necessary to bring down the botnet was to find the server that was communicating with the Botmaster and bring it down. Recent botnets have started to use the P2P network to avoid having a single point of attack, thus making it harder for authorities to bring it down. Some have even taken it a step further by using encryption to one negate access to potential hackers trying to steal their bot and to make it almost impossible for authorities to crack the encryption key.

The idea of P2P botnets is to remove the need for a centralized command and control server, rather all infected devices communicate with one another. Although this sounds easy, it is a lot harder to maintain and control these types of botnets. Although this does solve the problem of a centralized command and control, cybersecurity experts are already attacking by doing something called peer poisoning, since all the infected devices need to communicate with each other to refresh and relay all the nodes that have been infected, the authorities are creating nodes to purposely get infected and thereby controlling a large number of nodes that make up the botnet, once they have enough they shut down all their nodes simultaneously thus crippling the botnet.

The fact is that with hundreds of millions of dollars to be made every year using botnets for different reasons, hackers will continue to create and modify their existing arsenal, and the authorities have to be able to adapt to these new scenarios.