Malware analysis

Malware spotlight: What are botnets?

Greg Belding
November 5, 2019 by
Greg Belding


They say simple plans are the most likely to be successful, and this adage definitely carries over to the world of cybersecurity. This old saying also applies to the world of attackers — simple attack strategies are more likely to be successful. 

Botnets are the attacker’s version of putting this saying into practice, and this article will provide a high-level overview of these instruments of simplicity. We’ll explore what botnets are, the two main botnet structures, different attacks typically launched by botnets and how to protect against them. If you are a bit in the dark regarding how simplicity applies to botnets, this article will help you understand how it all ties together.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Simplicity, huh?

From the attacker’s perspective, absolutely. Consider this: during an attack campaign, multiple systems may have malware installed on them. These systems may be spread all over the world, in different countries and definitely on different networks. 

A ham-handed approach to managing all of these compromised systems is to manually log into each one of these systems during the attack. This ends up becoming a gigantic mess where the attack only progresses as far as the attacker progresses. 

No attack campaign, for obvious logistical reasons, works like this. Rather, attackers use what is called a botnet, where just a few clicks on the attacker’s end results in all compromised systems working together. Simply put, botnets turn an unmanageable mess into both a simple and efficient plan.

What is a botnet?

Botnet is a strange name because it is a portmanteau, or combination of two different words. The first part of the name comes from “robot” because compromised systems that have the attacker’s malware installed are like robots or zombie slaves doing the attacker’s bidding. The second portion of the name comes from “network,” because the compromised systems are linked together by virtue (or lack thereof) of the attacker. 

Botnet structures

There are two main botnet structures — client-server and peer-to-peer. 

Client-server model

This model is probably the one most think of when imagining a botnet structure, making it a great starting point. In the client-server model, a basic network is created with clients, or bots, where there is a central server that controls information transmission from the individual bots. This server is called the command-and-control, or C2, server. It may also be referred to as the botmaster. The C2 server maintains control over the bots with special software, which is another piece of malware and another conversation altogether. 

This botnet structure model comes with its cons, which may make it an unattractive option for some. Client-server botnet structures are entirely dependent on the C2 server, to the point that if the server goes down, so does the botnet. This model is also easy to locate, making the C2 server even more at risk of take down.


As expected from past malware behavior, the field of botnets has evolved to address the main drawbacks of the client-server model. Peer-to-peer is the second main botnet model that has done away with the C2 server altogether. The bots in a peer-to-peer botnet act as both client and server so if one bot goes down, the botnet will not go down (or even be disrupted by any significant measure). This makes the peer-to-peer model a stronger, more versatile botnet structure. 

Typical botnet attacks

OK, so attackers can form networks of zombies. This connected, organized structure makes performing certain attacks much easier and more manageable. Below is a list of the common attacks from botnets:

Distributed Denial of Operations Service (DDoS)

This type of attack occurs when an attacker overburdens computational resources or causes massive consumption of the victim’s bandwidth. The most common types are UDP flood attacks and TCP SYN. Botnets are uniquely positioned for DDoS attacks because of the potentially high number of bots and their capability to operate in unison. 


This attack technique assists the C2 server in harvesting sensitive information about its targets. This capability can be configured to only start recording keystrokes after interesting words that may indicate sensitive information such as Visa, PayPal and so on.

Botnet spread

Sometimes botnets launch attacks that do not cause any loss of sensitive information for the victim but rather intend to spread or even start other botnets. This is called botnet spread and normally involves emails with infected attachments that convince the recipient to download software that spreads the botnet. 

Traffic monitoring and spamming

When a system becomes infected, the attack against the zombie does not stop when the bot is installed. Bots can be used to sniff the zombie system for sensitive information, including usernames and passwords. Bots also have the interesting ability to determine if competitor botnets are installed on its zombie machine and hijack them. 

Anti-botnet measures

Botnets are not that exotic as malware threats go, and preventive measures against them are relatively vanilla. Below is a list of proactive measures that may prevent your system from joining the proverbial army of the undead.

  • Cybersecurity training: Nothing beats the preventive power of good cybersecurity training, making it the top anti-botnet measure
  • Steer clear of sites that are hot spots of infection: Look, I get it. We all navigate to weird places on the web. Just make sure the ones you go to are not loaded with malware
  • Keep your system updated: If your operating system does not do this automatically by this point, configure it to do so if possible
  • Use a solid anti-malware solution
  • Monitor system processes that show data spikes associated with unknown processes


Botnets are networks of malware infected client systems, or bots, either controlled by a C2 server or by bots that can operate as both a client and a server. They make attacks easier to manage, especially when these attacks are dependent upon massive information traffic transmissions or spikes (DDoS). Fortunately, standard cybersecurity measures will make your system much less likely to become part of a botnet.



  1. Botnet Malware: What it is and how to fight it, We Live Security. 
  2. Botnets and Their Types, EC-Council Blog
  3. Botnet-driven DDoS Attacks Represent a Developing Cyberthreat, Corero
  4. Here’s What You Need to Know About Botnets, McAfee
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.