The use of HTTP as a botnet C&C mechanism has increased in recent years as malware authors have moved beyond the first generation of malicious bots, although HTTP bots are still responsible for fewer infections than IRC bots. HTTP has the advantage of being the primary protocol for web browsing, which means that botnet traffic may be more difficult to detect and block. HTTP may be used to facilitate control either by having the bot sign in to a site that the bot controller operates, or by having the bot connect to a website on which the bot controller has placed information that the bot knows how to interpret as commands. This latter technique has an advantage in that the controller doesnâ€™t need to have an affiliation with the website. Some botnets even use blogs or social networking accounts for C&C, such as Win32/Svelta, a family discovered in 2009 that receives instructions from specially coded entries the attacker posts on the Twitter social networking service.
The HTTP protocol is also commonly used by bots to download updates and other malware, regardless of which C&C mechanism the bots use. Many bots include their own HTTP servers for hosting phishing websites or illegal content such as child pornography, or to provide an HTTP proxy that enables bot-herders to hide the location of their main (and usually illegal) websites.