Types of Botnets

There are several different types or classes of botnets that you should be aware of. Each type has its own characteristics and functionality.

By understanding how they work and the specific threats they pose, you can create a strategy to prevent, detect, and mitigate their effects. The botnet threat is always evolving – staying on top of it will require constant monitoring.

How to categorize botnets

The classification of botnets is not easy. They can be categorized by several different criteria, such as:

• Botnet functionality or purpose
• Botnet architecture or construction
• Platforms are they targeting (Windows, Linux, etc.)
• Based on the way they are controlled (manually or automatically)
• Based on how they are created (is it a custom or off-the-shelf botnet)
• Based on the type of malware installed in the botnet’s Trojan horse
• Based on the way they infect the victim’s machine (for example using an exploit kit, via a browser vulnerability, email spam, etc.)

Functionality or purpose

Most of the botnets are designed for easy control and management. They allow controlling a large number of infected computers from a single computer (command and control or C&C server). These botnets provide a wide range of functionality, such as taking over the victim’s machine, stealing data on it, spying on the user activity by logging keystrokes or capturing screenshots, sending out spam messages to innocent recipients and also carrying out DDoS attacks. Based on their functionality we can differentiate between:

• Botnets that control only one computer (zombie) based on its IP address. This type of botnet is controlled through IRC channels using a special software client. Bots are specially written programs that can be programmed to perform actions at certain times or in certain situations. This kind of botnet is the easiest to create and operate since it does not require any infrastructure or C&C server; therefore, these botnets are commonly used by cybercriminals for illegal activities such as sending spam messages, opening backdoors on victim’s machines and performing DDoS attacks.

• Botnets that control a large number of computers (zombies) based on their IP addresses by using the Internet Relay Chat (IRC). The IRC network has become the most popular way for botmaster operators to control their bots. With IRC-based botnets, attackers can recruit compromised computer systems from around the world into a single group without much difficulty. In order to set up an IRC-based botnet, the attacker first identifies vulnerable machines using methods such as:

  • Port scanning
  • Vulnerability scanning
  • Exploit scanning

• The attacker then uses various tools to compromise the system (this often includes installing a Trojan horse or backdoor on victims’ computers through an exploit kit). These types of botnets are distributed throughout the world and can perform tasks for cybercriminals at any time. These botnets often include custom-made Trojans designed specifically for stealing money from users around the world by means of fraudulent schemes.

• Botnets that control a large number of computers (zombies) based on their IP addresses by using remote administration tools (RATs) installed on each computer in order to enable the attacker to take over the machine at will. RAT is a software program used to take full control over one or more computers from a remote location. RATs are malicious programs that can be installed on a victim’s computer without their knowledge and consent, often using:

  • Fake software update websites
  • Trojans
  • Spyware
  • Keyloggers
  • Other malware

• Once the attacker installs a RAT on the target machine(s), he/she has full access to it which allows him/her to steal data from hard drives, upload malicious code, monitor user activity and do much more. The botmaster operator controls these compromised systems by installing additional software modules onto them remotely through the Internet Relay Chat (IRC) network.

• Botnets that run distributed denial-of-service (DDoS) attacks based on their IP addresses. These botnets are controlled through IRC using special commands for launching DDoS attacks against their targets. When one of these bots receives a command from the attacker it launches an attack at the victim’s web server, network or other computer systems. This type of botnet is very popular among cybercriminals who rent out their resources through various online forums and services to anyone wishing to carry out a DDoS attack against another party without revealing their identity.

Architecture or construction

Based on the botnet architecture or construction we can differentiate between:

• Client-server model. A client-server botnet is the most common type of botnet. It uses a central C&C server, which receives and sends commands to infected machines in one way or another. Command messages are sent as commands that could be executed on the stolen computer.
• Peer-to-peer model. In peer-to-peer (P2P) botnets, every node is able to function both as a client and a server; they connect directly to each other using either IRC or HTTP protocols. The attacker does not need to set up any special servers for this kind of network structure, but he still has control over the malicious operations conducted by infected devices without any intermediaries.
• Compliant/controlled mode. This model is based on the client-server model, but the malicious software is installed on a server that has been hijacked by attackers. The infected server then connects to a C&C server, which gives it tasks to execute.
• A mix of both models. The majority of botnets are mixes of the first two models described above. However, there are also botnets that have elements from all three models in them.

Targeted platforms

Based on the targeted platform that a botnet operates on we can differentiate between:

• Windows-based botnets. Due to their popularity, Microsoft Windows systems are one of the most common platforms for malware infection and for running malicious programs such as bots. Also, they enjoy great popularity among cybercrime groups due to easy access and a large number of vulnerabilities in this system. This is why running outdated versions of this OS is so dangerous.
• Linux-based botnets. Linux-based botnets have two major targets: servers and home computers. Due to their popularity in operating Internet websites, file upload services and other services, the number of bots on Linux is growing rapidly. Linux machines are also widely used in devices such as home routers and IP cameras.
• Android-based botnets. Android botnets are relatively new, but in time they could potentially become a very widespread threat. Malicious programs for Android devices have already been detected (Trojan-SMS.AndroidOS.Opfake) and many more will undoubtedly appear as the popularity of this OS grows.

Mobile botnets based on iOS or BlackBerry operating systems might also emerge in the future; however they aren’t that popular at the moment, due to the limited market penetration of these devices.

The way they are controlled

Based on how they’re controlled we can differentiate between:

• Automated botnets. These botnets work independently, without any human intervention or control. They infect victims and use their resources (CPU, bandwidth) for carrying out DDoS attacks on the hacker’s command. These bots are typically designed in a way that makes them especially hard to detect by antivirus software.
• Manual botnets. Many people like to have full control over their devices and computer systems. Cybercriminals are no exception here – for this reason, some of them prefer manual botnets to autonomous ones when it comes to launching an attack against another party. With these types of tools, you can launch an attack from any infected device at your will (or when instructed by an attacker). Some botnets can even download updates to their malicious code from a remote repository.

The way they were built

Based on how they were built we can divide botnets into:

• Custom-built botnets. Vendors can offer ready-made products that are ready to be used as botnets (i.e. a massive list of infected machines at the customer’s disposal). Many cybercriminal groups prefer this type of service since they don’t have to waste time building and maintaining their own botnet.
• Off-the-shelf or prebuilt botnets. A prebuilt botnet is a ready-made product that is already deployed and operational. The difference from the previous option is that you do not buy your own army of infected machines; instead, you rent or lease it for 24 hours, one week or any other period of time. Many cybercriminal groups prefer this type of service since they have to waste less time building and maintaining their own botnet.

The type of malware they are using

There are many different types of malware used for building botnets. The most commonly encountered botnets based on the malware they’re using include:

• DDoS botnets. Hundreds or thousands of infected computers can be used to launch powerful DDoS attacks against a specified target (see the diagram below). The owners of these botnets may offer their services for hire.
• Network-probing botnets. Infected machines have one purpose – to scan the Internet and find other vulnerable computers in order to infect them with malware that could potentially turn them into bots as well. These type of bots is often directed at specific targets (such as servers) where they’re trying to gain full control over the entire computer system, including all its data, software and hardware resources. Such a botnet would be considered fully formed once it gains access to even just one server on which powerful software/hardware resources are running (for example, in the finance, defense, energy or other industry sectors).
• Backdoor botnets. Infected computers are used to infect other computers and add them to the list of bots that can be controlled by the attacker.
• Information stealing botnets. Infected machines are used for collecting personal information from their victims via various means (keyloggers, screenshot grabbers, etc.). The collected data is then sent back to an attacker’s remote server or is sold on the black market in exchange for money. These types of malware can be installed on a victim’s computer manually (by tricking him into installing some malicious software) or automatically (using drive-by download attacks). Viruses, trojans and worms designed for stealing passwords from different applications and services are also considered information stealing bots.
• Spam-sending botnets. Many people think that spam is a thing of the past, but practically all of us have experienced it at least once in our lives – even if accidentally. These types of malware are designed to send out millions (or even billions) of unsolicited messages from infected computers around the world to their potential victims. Email addresses used by these botnets may be gathered on public websites or through other means (for example, by infecting other machines). Networks consisting entirely of compromised devices such as routers, IP cameras, printers etc. use similar techniques when sending out spam.

The way they infect the victim’s machine

Depending on the way a victim’s machine was infected, we can categorize botnets as:

• Centralized botnets. Centralized botnets are controlled by a single command-and-control server (C&C). C&C is a central point from which the attacker controls all infected machines on the botnet. For example, after installing malware on victim’s machine, it will contact the C&C server for its instructions. The server may send spam email or build a proxy network for DDoS attacks. A centralized botnet can have tens of thousands of bots in one network. Fotunately, this kind of system can easily be shut down if taken down by taking down the C&C server.
• Decentralized botnets. Decentralized botnets have no C&C servers. Instead, they replicate the same code (or DDoSing program) on all machines in the botnet. If one machine is taken down, others are still operational and can also be controlled from a single command center. Such networks have only hundreds of bots but they’re much more difficult to track and shut down due to their distributed nature. Decentralized malware is becoming increasingly popular because it’s very hard to take down such a network by eliminating its control server or computer systems – thousands of both legitimate and compromised computers work together to create a powerful computing network that can’t be stopped by taking out just one component.