How Does Botnets Work?

Controlling the Botnet

After a bot infects a computer, it attempts to contact its C&C server for instructions. A typical communication that can be observed after a successful infection might look like the following excerpt:

<- :irc.XXX.XXX NOTICE AUTH :*** Looking up your hostname...
<- :irc.XXX.XXX NOTICE AUTH :*** Found your hostname
-> PASS s3rv3rp455
-> NICK [d1f]-511202
-> USER hlxahl 0 0 :hlxahl
<- :irc.XXX.XXX NOTICE [d1f]-511202 :*** If you are having problems connecting due to ping timeouts, please type /quote pong SF125722 or /raw pong SF125722 now.
<- PING :SF125722
-> PONG :SF125722
<- :irc.XXX.XXX 001 [d1f]-511202 :Welcome to the irc.XXX.XXX IRC Network [d1f]-511202!hlxahl@heh
<- :irc.XXX.XXX 002 [d1f]-511202 :Your host is irc.XXX.XXX, running version Unreal3.2.7
<- :irc.XXX.XXX 003 [d1f]-511202 :This server was created Mon Sep 10 2007 at 20:30:33 PDT
<- :irc.XXX.XXX 004 [d1f]-511202 irc.XXX.XXX Unreal3.2.7 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj

After connecting, the bot tries to join the operator’s channel as configured:

-> JOIN #[d1f] channelpassword
-> MODE [d1f]-511202 +iwx

If the topic does not contain any instructions for the bot it remains idle in the channel, awaiting commands.

To control the bots, bot-herders enter the channel like ordinary IRC users and issue specially formatted commands. With some commands, such as commands to collect and report information about the victim’s computer, the bots report their results as chat messages within the IRC channel, or save them locally as files that the herder can retrieve later. Depending on the capabilities of the bot malware, bot-herders can execute a wide range of actions, as described in "How Botnets Are Used.”. A brief selection of typical botnet commands, in this case from the Win32/Rbot family, provides an idea of the kinds of operations a herder can execute:

  • .capture. Generates and saves an image or video file. Depending on the parameters used, this file could be a screenshot of the victim’s desktop or a still image or video from the victim’s webcam. The operator can recover the saved picture using the .get command.
  • .ddos.syn, .ddos.ack, .ddos.random. Launches a DDoS attack on a specified IP address for a specified length of time.
  • .download. Downloads a file from a specified URL to the victim’s computer and optionally executes it.
  • .findfile. Searches for files on the victim’s computer by name and returns the paths of any files found.
  • .getcdkeys. Returns product keys for software installed on the victim’s computer.
  • .keylog. Logs the victim’s keystrokes and saves them to a file.
  • .login, .logout. Authenticates the bot-herder with the bots. Before issuing commands to any bots in the channel, the bot-herder must use the .login command with a password that is specified in the bots’ configuration data so the bots will recognize the bot-herder as an authorized controller.
  • .open. Opens a program, an image, or a URL in a web browser.
  • .procs. Lists the processes running on the victim’s computer. Other commands can then be used to kill processes by name or ID.

Top of page Top of Page

Featured Articles


United States Change All Microsoft Sites



Was the information in this article helpful?