How a Botnet Attack Works
The goal of a botnet attack is to hijack Internet-connected devices like computers and smartphones and turn them into zombies that the hacker controls. The hacker—called a bot herder or the master of the botnet—can use the bot army to carry out attacks that he or she creates in secret. These attacks may be designed to steal data, deliver ransomware or cause distributed denial-of-service (DDoS) attacks.
The first step in creating a botnet involves the hacker infecting many devices with malware. The bots are then commanded to connect back to the attacker’s command and control (C&C) servers to receive new instructions. There are several ways for the hackers to do this, from using covert channels in Internet Relay Chat (IRC) servers to communicating with the bots using peer-to-peer (P2P) networks. Once the bots are connected to the C&C server, they can start executing commands.
The hacker can control the bots using remote administration tools (RATs). These are rogue applications that are installed without the victim’s knowledge or permission. RATs include spyware, Trojan horses, keyloggers and other malware that allow the threat actor to gain remote access to a computer or device. In addition, the bot herder can control multiple systems by using Trojans that redirect web browsers to fake software update websites, or use fake advertising banners to trick victims into clicking on them. Traditionally, the C&C botnet structure is centralized; however, shutting down a single centralized server is easier than dismantling a large network of devices spread out across multiple locations. That’s why some seasoned hackers now opt to use P2P botnets, where the responsibility for giving commands is embedded in every bot, allowing them to function independently.