Occasionally referred to as a “zombie army,” a botnet is a group of hijacked Internet-connected devices, each injected with malware used to control it from a remote location without the knowledge of the device’s rightful owner. From the point of view of hackers, these botnet devices are computing resources that can be used for any type of malicious purposes—most commonly for spam or DDoS attacks.
An individual botnet device can be simultaneously compromised by several perpetrators, each using it for a different type of attack and often at the same time. For instance, a malware-infected personal computer could be ordered to rapidly access a website as part of a larger DDoS attack. At the same time it could also be performing vulnerability scans, with its owner browsing the web—unaware of both occurrences.
DDoS Botnets and Botnet Tools
The originator of a botnet is commonly referred to as a “bot herder,” or “botmaster.” This individual controls the botnet remotely, often through intermediate machines known as the command and control (C&C;, or C2) servers.
To communicate with a C&C; server, the botmaster uses various hidden channels, including seemingly innocuous protocols like IRC and HTTP websites, as well as popular services like Twitter, Facebook and even Reddit.
Botnet servers are able to communicate and cooperate with other botnet servers, effectively creating a P2P network controlled by a single or multiple botmasters. This means that any given botnet DDoS attack may have multiple origins, or be controlled by multiple individuals—sometimes working in a coordinated manner, other times operating independently.
Botnets-for-hire are available from various sources, their services often being auctioned and traded among attackers. Online marketplaces have even sprung up—these are commercial entities trading in huge numbers of malware-infected PCs. They can be rented and used for DDoS or other attacks (e.g., brute force).
These platforms, often hiding behind the ambiguous service definition of stressers, or booters, sell DDoS-as-a-service. They provide their clients with a richly-featured toolkit, as well as a distribution network, so as to execute their attacks on call.