Botnets | Terms, Explanation, Types
Botnets | Terms, Explanation, Types
05-10-2025, 12:32 AM
![[Image: MRcnlZB.png]](https://i.imgur.com/MRcnlZB.png)
What is botnet?
A botnet is a network of computers or other devices that have been infected by malware and are under the control of a single attacking party, often referred to as a botmaster or bot herder. The computers become "bots," short for robots, because they are now under the control of the attacker and can be directed to perform tasks without the knowledge or consent of their owners.
The owners of the infected computers may not realize their machine is part of a botnet, as the malware is usually designed to run without noticeably affecting the computer's performance. Botnets can be difficult to dismantle because they're often dispersed geographically and the botmaster is typically careful to maintain anonymity.
Why RAT can be called a botnet?
RAT is short for Remote Administration Trojan/Tool. A RAT is a type of malware that allows an attacker to take control of a system remotely. It provides the attacker with complete control over the infected system and can be used to perform a variety of malicious or administrative activities, for example surveillance, file managing and others.
As already mentioned a botnet, on the other hand, is a network of infected machines, often controlled by a single attacker or group. Each individual computer in the botnet, known as a "bot", can be controlled remotely, typically to perform tasks in coordination with the other bots in the network. While a botnet might execute a RAT or similar malware on infected devices, the key distinction of a botnet is its networked, coordinated nature.
So, while a RAT might be used in the creation of a botnet, they are not the same thing. A single computer infected with a RAT is not a botnet, but if an attacker uses a RAT to infect and control multiple machines, then that network of compromised machines could be considered a botnet.
Some terms and definitions.
There is many types of botnets, we will try to narrow you the majority of basic knowledge, including dividing botnets into different categories.
We will start by explaining few commonly used terms in discussions about botnets.
- C2 / C&C: Short for Command and Control, this refers to the mechanism or server that the botmaster uses to manage the botnet, control bots, send tasks, receive data from the bots etc.
- Botmaster / Bot herder: The individual or group who controls and commands the botnet.
- Zombies: The individual machines that are part of a botnet. They are often referred to as "zombies" because they are under the control of the botmaster and perform tasks without the knowledge or consent of their owners.
- Bot: Short for robot, this is another term for the individual machines that are part of a botnet.
- Botnet: A network of infected machines, under the control of a botmaster.
- Payload: In terms of botnets, a payload is perceived as the actual malicious file or virus that infects a device. In this context it is the "virus" that gets downloaded onto your computer, often without your knowledge. This could be in the form of an executable (.exe) file, a script, a macro, or any other type of file that can run code on your computer. The payload might be hidden inside another file or program, delivered as an email attachment, or downloaded from the internet by another piece of malware.
- Botnet Loader: A loader is usually perceived as the most basic function in a botnet. In other words it is usually a "core" function of the botnet used to hold bots connected to c&c. This function always comes with ability to download and execute another file - the download and execute task can be very customizable, so it allows the attacker to drop and execute another malware per exact needs. In other words, botnet loader could be described as a type of malware whose primary function is to install or "drop" other malware onto the infected system.
- Malware: A general term for malicious software, which can include the software used to create a botnet, as well as other types of malicious software like viruses, worms, Trojans, ransomware, and spyware.
- Dropper/Downloader: Dropper/Downloader is a type of malware that is used to install and execute more complex or malicious software onto a target's system. Droppers and downloaders are often used as the first stage in multi-stage attacks. They're typically small and lightweight, making them easy to distribute and less likely to be detected by antivirus software. Their main job is to get the "foot in the door" so that the more serious malware can be installed.
While the terms "dropper" and "downloader" are often used interchangeably, some make a distinction between the two: a dropper carries the additional malware embedded in its own code and "drops" it onto the system after infection, while a downloader downloads the additional malware from a remote server after the initial infection.
- Crypters: Crypters are legal encrypting tools. In the context of malware and botnets, a "crypter" is a type of software tool used by cybercriminals to hide malicious programs from antivirus software. Crypters work by encrypting or obfuscating the code of the malware to make it unrecognizable to many types of antivirus software.
When the crypter is used to hide a piece of malware, it effectively wraps the malicious code inside a layer of encryption. The result is a new file, known as the stub, which looks and behaves like a non-malicious file to an antivirus scanner. When this file is executed on a victim's system, it decrypts the original malware code and runs it.
When it comes to crypters it's a whole series of choices, if you want to learn specifically about crypters you may read my other thread - https://hackforums.net/showthread.php?tid=6233658
Typical botnet scenario.
![[Image: WuuLjKu.png]](https://i.imgur.com/WuuLjKu.png)
The infection process generally follows these steps:
1. Infection/Delivery: The botnet loader first needs to infect a system. This might happen through a variety of methods. The payload, often hidden within seemingly harmless files or programs, reaches the user's system. This can be achieved through various means such as email attachments, software downloads, visiting malicious websites, more sophisticated exploits or even through physical media like USB drives. Almost everything could be potential first point of infection.
2. Communication: Once the system is infected, bot typically communicates back to a command and control (C&C) server. This is a server controlled by the attacker, which the botnet contacts to receive its instructions. When the connection is established, a bot performs the actions it's been programmed to do. This could be anything from stealing personal information, encrypting files for a ransomware attack, download and executing other malware and many different tasks.
3. Propagation: Many types of malware also include a propagation mechanism in their payload, which allows them to spread to other systems. This could involve scanning for network vulnerabilities, copying itself onto removable drives, or even using platforms such as facebook, discord, telegram etc. to send a malicious attachment to other people.
In essence, the botnet loader is a first-stage infection. Its job is to gain a foothold on the system and then bring in the real threat, the second-stage payload. This makes botnet loaders a critical component of many malware attacks, as they enable the attacker to install any malware they choose on the infected system.
Botnet loaders can be sophisticated pieces of malware in their own right. They often employ a variety of techniques to avoid detection, such as obfuscating their code to make it harder to analyze, or using evasion techniques to avoid being detected by antivirus software. This makes them a significant threat and a challenging problem in cyber-security.
Division of botnets according to different criteria.
Botnets can be categorized based on the communication protocol they use to connect with their command and control (C&C) servers. Below are some common categories.
- HTTP-based Botnets: These botnets use the Hypertext Transfer Protocol (HTTP), which is the foundation of data communication on the World Wide Web. HTTP-based botnets often use a central C&C server from which the bots receive their instructions. In this case usually a web-panel is used to control bots and send specified tasks.
- IRC-based Botnets: Internet Relay Chat (IRC) was one of the earliest protocols used by botnets for C&C communication. In this case an IRC server is used to control the bots and send specified tasks. IRC protocol is obsolete and deprecated, therfor nowadays it is rarely used as a c2.
- TCP-based Botnets: Transmission Control Protocol (TCP) is a fundamental protocol for network communication. TCP-based botnets often use a central C&C structure, similar to HTTP and IRC botnets. TCP is a reliable protocol that ensures the delivery of packets, making it suitable for controlling botnets. In this case a GUI(Graphical User Interface) is used as c2 to control bots and send tasks.
- UDP-based Botnets: User Datagram Protocol (UDP) is another core communication protocol. Unlike TCP, it's connection less and doesn't guarantee packet delivery, making it less reliable but potentially faster. UDP can be used by botnets in a variety of ways, including both centralized and P2P structures. Personally i haven't seen botnet that is only relying on UDP protocol.
- Social Media-based Botnets: In an effort to avoid detection, some botnets use social media platforms for C&C communication. These botnets use posts on platforms like Twitter, Discord or Telegram to deliver instructions to their bots, usually utilizing websocket protocol.
Botnets can be categorized by their core functionality or the main purpose they are designed to serve. Below are some of these categories.
- Loader Botnets: Also known as dropper botnets, these are designed to download and execute other types of malware on the infected machine. They essentially pave the way for further attacks.
- Stealer Botnets: These botnets are designed to steal sensitive information from the infected machines. This can include credentials (like usernames and passwords), financial information, personal information, and other types of data that can be exploited.
- HVNC (Hidden Virtual Network Computing) Botnets: These botnets use a technique that creates a hidden desktop that is invisible to the user, allowing the botnet to perform activities without detection. They often use this hidden desktop to interact with websites, online banks, or other web services as if they were the legitimate user.
- DDoS Botnets: These botnets are specifically designed to launch Distributed Denial of Service (DDoS) attacks, which overwhelm a target's resources, making their network or service unavailable to users.
- Banking Botnets: These botnets specialize in targeting financial institutions. They often employ tactics like keylogging, web injects, and form grabbing to steal banking credentials and other financial information.
- Spambot Botnets: These botnets focus on sending out spam emails. This can be to spread more malware, send phishing emails, or inundate users with unwanted advertising.
- Ransomware Botnets: These botnets distribute ransomware, a type of malware that encrypts the user's data and demands a ransom to unlock it.
- Click Fraud Botnets: These botnets engage in click fraud, which involves artificially inflating the number of clicks on a pay-per-click ad.
What are botnets used for?
Botnets can be used to perform a variety of malicious activities, including but not limited to:
- Distributed Denial of Service (DDoS) attacks: The botnet is used to flood a targeted system (often a web server) with traffic, overloading it and causing it to become unresponsive to legitimate requests.
- Spamming: Botnets can be used to send out vast amounts of spam email, often used in phishing attacks or to distribute malware further.
- Credential harvesting: The infected computers can be used to gather sensitive information such as usernames, passwords, and credit card details.
- Click Fraud: Botnets can simulate clicks on online advertisements to generate fraudulent revenue for the attacker.
- Cryptocurrency mining: Bots can be harnessed to perform the computational tasks required to mine cryptocurrencies like Monero, Ethereum Classic, Kaspa, Nexa and others.
- Advanced Persistent Threats (APTs): Some sophisticated attackers use botnets as part of APTs, long-term attacks that aim to steal data without being detected.
- Adware Distribution: Botnets can be used to spread unwanted advertising software that generates revenue by displaying unwanted ads on the infected computers.
- Spyware Distribution: Similarly, botnets can spread spyware, software that spies on user activity to gather information without the user's knowledge.
- Ransomware Attacks: Botnets can also distribute ransomware, which encrypts users' files and demands a ransom to restore access.
- Identity Theft: The sensitive information gathered by botnets can be used for identity theft, in which the attacker impersonates the victim for fraudulent purposes.
- Spreading Misinformation: On social media platforms, botnets can be used to amplify messages, artificially increase likes or shares, or to spread misinformation or propaganda.
- Traffic Scanning: Some botnets scan internet traffic to identify vulnerable devices or networks, which can then be exploited or attacked.
- Creating Fake Traffic: Botnets can be used to create fake internet traffic for a variety of purposes, such as making a website appear more popular than it really is, botting views of a video or post on social media platform and such.
How to find out if malware you want to buy is worth the money?
Even without a technical knowledge it is really easy to find out the details about the malware you are interested in. All you need to do is to search for its detailed analysis and exposed spreading campaigns.
Lets take into consideration few botnets*:
- xLoader
- QOntioX, NiwX, pQVNCx, PhoneXStealer.
*Feel free to take any other names to this experiment, the results will be the same.
So now we use our favourite search engines to find out more details about the specific malware. We search for:
"xloader malware analysis"
"xloader malware campaign"
As a results we can see hunderds if not tousands detailed analysis of different paylods collected during many years along with detailed campaigns they were used.
This is a clear indicator that this malware is being used by many threat actors and cyber-criminal groups.
Now we try to do the same for the shitty malware, ie QOntioX, NiwX, pQVNCx, PhoneXStealer.
The results are obvious.
There is not a single detailed analysis of this malware.
There is not a single malware campaign which used it.
This is a clear indicator that this malware is not worth a penny. Nobody uses it mostly because it doesnt work properly and in general it is just a waste of time and money.
![[Image: qlh30mB.png]](https://i.imgur.com/qlh30mB.png)
What is botnet?
A botnet is a network of computers or other devices that have been infected by malware and are under the control of a single attacking party, often referred to as a botmaster or bot herder. The computers become "bots," short for robots, because they are now under the control of the attacker and can be directed to perform tasks without the knowledge or consent of their owners.
The owners of the infected computers may not realize their machine is part of a botnet, as the malware is usually designed to run without noticeably affecting the computer's performance. Botnets can be difficult to dismantle because they're often dispersed geographically and the botmaster is typically careful to maintain anonymity.
Why RAT can be called a botnet?
RAT is short for Remote Administration Trojan/Tool. A RAT is a type of malware that allows an attacker to take control of a system remotely. It provides the attacker with complete control over the infected system and can be used to perform a variety of malicious or administrative activities, for example surveillance, file managing and others.
As already mentioned a botnet, on the other hand, is a network of infected machines, often controlled by a single attacker or group. Each individual computer in the botnet, known as a "bot", can be controlled remotely, typically to perform tasks in coordination with the other bots in the network. While a botnet might execute a RAT or similar malware on infected devices, the key distinction of a botnet is its networked, coordinated nature.
So, while a RAT might be used in the creation of a botnet, they are not the same thing. A single computer infected with a RAT is not a botnet, but if an attacker uses a RAT to infect and control multiple machines, then that network of compromised machines could be considered a botnet.
Some terms and definitions.
There is many types of botnets, we will try to narrow you the majority of basic knowledge, including dividing botnets into different categories.
We will start by explaining few commonly used terms in discussions about botnets.
- C2 / C&C: Short for Command and Control, this refers to the mechanism or server that the botmaster uses to manage the botnet, control bots, send tasks, receive data from the bots etc.
- Botmaster / Bot herder: The individual or group who controls and commands the botnet.
- Zombies: The individual machines that are part of a botnet. They are often referred to as "zombies" because they are under the control of the botmaster and perform tasks without the knowledge or consent of their owners.
- Bot: Short for robot, this is another term for the individual machines that are part of a botnet.
- Botnet: A network of infected machines, under the control of a botmaster.
- Payload: In terms of botnets, a payload is perceived as the actual malicious file or virus that infects a device. In this context it is the "virus" that gets downloaded onto your computer, often without your knowledge. This could be in the form of an executable (.exe) file, a script, a macro, or any other type of file that can run code on your computer. The payload might be hidden inside another file or program, delivered as an email attachment, or downloaded from the internet by another piece of malware.
- Botnet Loader: A loader is usually perceived as the most basic function in a botnet. In other words it is usually a "core" function of the botnet used to hold bots connected to c&c. This function always comes with ability to download and execute another file - the download and execute task can be very customizable, so it allows the attacker to drop and execute another malware per exact needs. In other words, botnet loader could be described as a type of malware whose primary function is to install or "drop" other malware onto the infected system.
- Malware: A general term for malicious software, which can include the software used to create a botnet, as well as other types of malicious software like viruses, worms, Trojans, ransomware, and spyware.
- Dropper/Downloader: Dropper/Downloader is a type of malware that is used to install and execute more complex or malicious software onto a target's system. Droppers and downloaders are often used as the first stage in multi-stage attacks. They're typically small and lightweight, making them easy to distribute and less likely to be detected by antivirus software. Their main job is to get the "foot in the door" so that the more serious malware can be installed.
While the terms "dropper" and "downloader" are often used interchangeably, some make a distinction between the two: a dropper carries the additional malware embedded in its own code and "drops" it onto the system after infection, while a downloader downloads the additional malware from a remote server after the initial infection.
- Crypters: Crypters are legal encrypting tools. In the context of malware and botnets, a "crypter" is a type of software tool used by cybercriminals to hide malicious programs from antivirus software. Crypters work by encrypting or obfuscating the code of the malware to make it unrecognizable to many types of antivirus software.
When the crypter is used to hide a piece of malware, it effectively wraps the malicious code inside a layer of encryption. The result is a new file, known as the stub, which looks and behaves like a non-malicious file to an antivirus scanner. When this file is executed on a victim's system, it decrypts the original malware code and runs it.
When it comes to crypters it's a whole series of choices, if you want to learn specifically about crypters you may read my other thread - https://hackforums.net/showthread.php?tid=6233658
Typical botnet scenario.
The infection process generally follows these steps:
1. Infection/Delivery: The botnet loader first needs to infect a system. This might happen through a variety of methods. The payload, often hidden within seemingly harmless files or programs, reaches the user's system. This can be achieved through various means such as email attachments, software downloads, visiting malicious websites, more sophisticated exploits or even through physical media like USB drives. Almost everything could be potential first point of infection.
2. Communication: Once the system is infected, bot typically communicates back to a command and control (C&C) server. This is a server controlled by the attacker, which the botnet contacts to receive its instructions. When the connection is established, a bot performs the actions it's been programmed to do. This could be anything from stealing personal information, encrypting files for a ransomware attack, download and executing other malware and many different tasks.
3. Propagation: Many types of malware also include a propagation mechanism in their payload, which allows them to spread to other systems. This could involve scanning for network vulnerabilities, copying itself onto removable drives, or even using platforms such as facebook, discord, telegram etc. to send a malicious attachment to other people.
In essence, the botnet loader is a first-stage infection. Its job is to gain a foothold on the system and then bring in the real threat, the second-stage payload. This makes botnet loaders a critical component of many malware attacks, as they enable the attacker to install any malware they choose on the infected system.
Botnet loaders can be sophisticated pieces of malware in their own right. They often employ a variety of techniques to avoid detection, such as obfuscating their code to make it harder to analyze, or using evasion techniques to avoid being detected by antivirus software. This makes them a significant threat and a challenging problem in cyber-security.
Division of botnets according to different criteria.
Botnets can be categorized based on the communication protocol they use to connect with their command and control (C&C) servers. Below are some common categories.
- HTTP-based Botnets: These botnets use the Hypertext Transfer Protocol (HTTP), which is the foundation of data communication on the World Wide Web. HTTP-based botnets often use a central C&C server from which the bots receive their instructions. In this case usually a web-panel is used to control bots and send specified tasks.
- IRC-based Botnets: Internet Relay Chat (IRC) was one of the earliest protocols used by botnets for C&C communication. In this case an IRC server is used to control the bots and send specified tasks. IRC protocol is obsolete and deprecated, therfor nowadays it is rarely used as a c2.
- TCP-based Botnets: Transmission Control Protocol (TCP) is a fundamental protocol for network communication. TCP-based botnets often use a central C&C structure, similar to HTTP and IRC botnets. TCP is a reliable protocol that ensures the delivery of packets, making it suitable for controlling botnets. In this case a GUI(Graphical User Interface) is used as c2 to control bots and send tasks.
- UDP-based Botnets: User Datagram Protocol (UDP) is another core communication protocol. Unlike TCP, it's connection less and doesn't guarantee packet delivery, making it less reliable but potentially faster. UDP can be used by botnets in a variety of ways, including both centralized and P2P structures. Personally i haven't seen botnet that is only relying on UDP protocol.
- Social Media-based Botnets: In an effort to avoid detection, some botnets use social media platforms for C&C communication. These botnets use posts on platforms like Twitter, Discord or Telegram to deliver instructions to their bots, usually utilizing websocket protocol.
Botnets can be categorized by their core functionality or the main purpose they are designed to serve. Below are some of these categories.
- Loader Botnets: Also known as dropper botnets, these are designed to download and execute other types of malware on the infected machine. They essentially pave the way for further attacks.
- Stealer Botnets: These botnets are designed to steal sensitive information from the infected machines. This can include credentials (like usernames and passwords), financial information, personal information, and other types of data that can be exploited.
- HVNC (Hidden Virtual Network Computing) Botnets: These botnets use a technique that creates a hidden desktop that is invisible to the user, allowing the botnet to perform activities without detection. They often use this hidden desktop to interact with websites, online banks, or other web services as if they were the legitimate user.
- DDoS Botnets: These botnets are specifically designed to launch Distributed Denial of Service (DDoS) attacks, which overwhelm a target's resources, making their network or service unavailable to users.
- Banking Botnets: These botnets specialize in targeting financial institutions. They often employ tactics like keylogging, web injects, and form grabbing to steal banking credentials and other financial information.
- Spambot Botnets: These botnets focus on sending out spam emails. This can be to spread more malware, send phishing emails, or inundate users with unwanted advertising.
- Ransomware Botnets: These botnets distribute ransomware, a type of malware that encrypts the user's data and demands a ransom to unlock it.
- Click Fraud Botnets: These botnets engage in click fraud, which involves artificially inflating the number of clicks on a pay-per-click ad.
What are botnets used for?
Botnets can be used to perform a variety of malicious activities, including but not limited to:
- Distributed Denial of Service (DDoS) attacks: The botnet is used to flood a targeted system (often a web server) with traffic, overloading it and causing it to become unresponsive to legitimate requests.
- Spamming: Botnets can be used to send out vast amounts of spam email, often used in phishing attacks or to distribute malware further.
- Credential harvesting: The infected computers can be used to gather sensitive information such as usernames, passwords, and credit card details.
- Click Fraud: Botnets can simulate clicks on online advertisements to generate fraudulent revenue for the attacker.
- Cryptocurrency mining: Bots can be harnessed to perform the computational tasks required to mine cryptocurrencies like Monero, Ethereum Classic, Kaspa, Nexa and others.
- Advanced Persistent Threats (APTs): Some sophisticated attackers use botnets as part of APTs, long-term attacks that aim to steal data without being detected.
- Adware Distribution: Botnets can be used to spread unwanted advertising software that generates revenue by displaying unwanted ads on the infected computers.
- Spyware Distribution: Similarly, botnets can spread spyware, software that spies on user activity to gather information without the user's knowledge.
- Ransomware Attacks: Botnets can also distribute ransomware, which encrypts users' files and demands a ransom to restore access.
- Identity Theft: The sensitive information gathered by botnets can be used for identity theft, in which the attacker impersonates the victim for fraudulent purposes.
- Spreading Misinformation: On social media platforms, botnets can be used to amplify messages, artificially increase likes or shares, or to spread misinformation or propaganda.
- Traffic Scanning: Some botnets scan internet traffic to identify vulnerable devices or networks, which can then be exploited or attacked.
- Creating Fake Traffic: Botnets can be used to create fake internet traffic for a variety of purposes, such as making a website appear more popular than it really is, botting views of a video or post on social media platform and such.
How to find out if malware you want to buy is worth the money?
Even without a technical knowledge it is really easy to find out the details about the malware you are interested in. All you need to do is to search for its detailed analysis and exposed spreading campaigns.
Lets take into consideration few botnets*:
- xLoader
- QOntioX, NiwX, pQVNCx, PhoneXStealer.
*Feel free to take any other names to this experiment, the results will be the same.
So now we use our favourite search engines to find out more details about the specific malware. We search for:
"xloader malware analysis"
"xloader malware campaign"
As a results we can see hunderds if not tousands detailed analysis of different paylods collected during many years along with detailed campaigns they were used.
This is a clear indicator that this malware is being used by many threat actors and cyber-criminal groups.
Now we try to do the same for the shitty malware, ie QOntioX, NiwX, pQVNCx, PhoneXStealer.
The results are obvious.
There is not a single detailed analysis of this malware.
There is not a single malware campaign which used it.
This is a clear indicator that this malware is not worth a penny. Nobody uses it mostly because it doesnt work properly and in general it is just a waste of time and money.