Introduction

A bot is a piece of computer code that performs a task automatically.

A botnet is a network of compromised computers that can be remotely controlled by a bot master.

Features of a botnet

Communication

Systems must be able to communicate with each other. A bot must be able to report the results of the scans they perform to the command and control center.

Unwilling Participation

Machines that have joined a botnet are typically unwilling participant since they have been compromised.

These compromises can take place by a targeted attack, code exploits, phishing, drive-by downloads, etc

Command and Control Structure

Bots receive orders from the C&C, and report back to the C&C structure. There are four types of command and control structures.

1. IRC channels, where bots can you join the server to report output or await commands from the botmaster.
2. P2P networks allow for a more decentralized architecture, where one or more bots can share the role of a botmaster.
3. Custom domains allow add computers to access a specially-designed web page which serves the list of commands.

These C&C Servers are hard to track because they could achieve anonymity via the TOR network, employ fast flux DNS, and even hop domains via domain generation algorithms

Unwilling Participation

To be considered a botnet, bots within the network must perform Malicious activities such as DDOS attacks, spamming, sniffing Network traffic, keylogging, Etc

Mitigation

You can read up about botnet mitigation here

Case Study: Mirai

We've prepared a powerpoint presentation outlining the Mirai Botnet here