How Botnets Attack: Tricks of the Trade


Most of the spam that is sent today originates from botnets, which use several different techniques to get their unwanted messages past recipients’ mail filters. In addition to renting out their botnets to spammers, bot-herders also use the botnets’ spamming functionality themselves, sending out disguised copies of the bot malware (or hyperlinks to hosted copies of it) in an effort to increase the size of the network.

Attackers have traditionally found new potential victims by crawling the web or buying lists from other spammers. Bots can be used to harvest high quality email addresses. For example, the HTTP botnet family Win32/Waledac searches through many different kinds of files on fixed and remote drives on compromised computers looking for addresses.

Bots can steal very specific information from computers, which makes them especially useful for spear phishing, a type of phishing attack that targets the employees or customers of a particular institution.

Spambots, as bots that send spam are sometimes called, also give attackers access to tens of thousands of computers or more that can be used to originate spam. Typically, a prospective spammer contacts a bot-herder to rent the services of a botnet. After the spammer and bot controller negotiate the product and price, the bot controller instructs each of the selected bots to start a proxy server, and typically provides the spammer with access to a webpage that lists the IP addresses of the selected bots and the ports on which they are running their proxy servers.


Phishing is a method of credential theft that tricks Internet users into revealing personal or financial information online. Attackers send messages purporting to be from a trusted institution, such as a bank, auction site, online game, or other popular website. These phishing messages—which are often generated and sent by bots, like spam—direct victims to webpages run by the attackers, where they are instructed to submit private information such as login credentials or credit card details.

Stealing Confidential Data

Many bots can be commanded to search a computer’s hard disks for personal information, including computer authentication credentials, bank account numbers and passwords, product keys for popular computer games and other software products, and other sensitive data. Some of the earliest malicious bots included the ability to transmit product keys back to the attacker, and such features are common in kit–based bots such as Win32/Rbot and Win32/Zbot.

Perpetrating Distributed Denial-of-Service (DDoS) Attacks

One of the oldest attacker uses of botnets is as a mechanism for launching distributed denial-of-service (DDoS) attack. A denial-of-service (DoS) attack is an attempt to make a computer resource, such as network connectivity and services, unavailable to its intended users. Typically, such attacks flood the resource with network traffic, which saturates its bandwidth and renders it unavailable to perform legitimate services. A DDoS attack involves multiple computers—such as those in a botnet—attacking a target at the same time, making it harder to defend against than an attack from a single computer. Several common bots, including Win32/Hamweq, Win32/Pushbot, and Win32/Waledac, have been observed participating in DDoS attacks.

Installing Malware and Potentially Unwanted Software

Bot-herders often use their botnets to download additional malware to victims’ computers to reap additional profits. Early botnets often focused on installing adware, spyware, and other potentially unwanted software in an effort to earn quick profits. In a typical incident in 2005, a bot-herder in California used the bot family Win32/Rbot to install adware on more than 20,000 computers as part of a pay-per-click advertising scheme that brought in more than U.S. $50,000, according to the U.S. Department of Justice.

Example of a drive-by download attack:

drive-by download malware

Next Blog: How to defend against botnets

Leave a Reply

Your email address will not be published. Required fields are marked *