The IRC protocol is used by many applications to support simple textâ€“based chatting environments. Because the earliest bots were derived from benign IRC bots (and probably also because IRC has many legitimate uses), this protocol is still the most common C&C mechanism used by bots. As shown in the following figure, IRCâ€“based families account for the largest share of the botnetâ€“infected computers cleaned by Microsoft desktop antimalware products in 2Q10, 38.2 percent.
C&C mechanisms used by botnet families in 2Q10, by number of unique computers reporting detections
Click on the Image to Enlarge.
Upon infection, the IRC clients built into the bot connect to a specified IRC server and channel like a typical chat client, and wait for instructions from the operator in the form of specially formatted text messages. Some of the more sophisticated bot operations have also encoded or encrypted bot commands in the channel topic, which is displayed to each client as it enters the channel. These commands can be complex enough to partition large botnets and give each subset its own task, which can be done based on country, network location, bot uptime, available bandwidth, and other variables. (See the section "How Do Botnets Work?â€ for more information and examples.)