How botnets expand and how to protect against them

A botnet is a group of infected computers (aka bots or zombie machines) controlled by a hacker, the botmaster. Botnets are a major threat for every server. They are the fundamentals of the cybercrime in the dark industry of hackers. Zombie machines can be personal computers, mobile devices or even servers.

Today we will focus on botnets formed by infected linux servers. Server based botnets are especially valuable for the bad guys as servers have typically high amount of various resources like cpu, memory, and what is the most important, internet bandwidth with trusted and in many cases unrestricted upload traffic capacity. Servers typically operate 24 hour a day, 7 days a week and have at least one fixed IP address. In many cases servers already have every component for the hackers to operate. As there is a huge demand for high capacity botnets in the dark markets for different purposes like sending spams, different DoS attacks and similar cybercrimes there are more and more botnet infections that servers have to face.

Every botnet has some common characteristics, the building block of the system. The basic blocks are zombie machines, a command and control (ana. c&c) node and a communication link between the nodes and the c&c node. This architecture is called a centralized botnet and this is still the most popular architecture. There are other ones out there like peer to peer setups, but we won’t cover them in this article.

So how the bad guys are creating their large botnets? There are 6 steps every zombie server goes through in the process of joining a botnet and operating in it.


The first step of finding new members for a botnet, or even finding the very first member is scanning for vulnerable hosts. The system scans for vulnerable servers. This process is specialized for scanning for a specific vulnerability, or a set of vulnerabilities the botnet is able to exploit. For example a very common scan is chasing for known PHP cms systems like WordPress, Joomla and Drupal. These cms systems have many remote vulnerabilities and can be easily misconfigured. It is quite easy to scan a server for these cms systems.

In the example below you can see such a scan detected by BitNinja’s log analysis module. It is vital to set up a defense line at this stage as this is an early stage and relatively easy to stop attackers. Not only detection is easy, but unfortunately using the wrong tools it is also easy to do false positives and blacklisting innocent IPs in this stage.

That is why BitNinja use greylisting (read more about greylisting on our doc site: instead of blocking. This way false positive can be eliminated. There are other scans for specific server software versions and for detecting different vulnerabilities. Setting up honeypot traps is very effective at this stage. Modern botnets use many different bots to scan a particular server. Sometimes, when large botnets expand, they do only one scan request per IP.

This is called distributed scanning. By using distributed scanning botnets can avoid of detection of simple log analyzers. The only way to fight against the botnets is using a distributed protection system (like BitNinja).



Using honeypots and log analysis is useful and effective in this phase. Detecting distributed scans requires a distributed and interconnected defense system.

Related BitNinja modules/functions:

  • port honeypots
  • greylisting
  • log analysis
  • distributed log analysis
  • web honeypot




After the identification of a vulnerability, the process steps into the next phase of exploiting the vulnerability. This phase is about actually applying the attack and opening a door into your system. There are many different kinds of exploits attackers can use. Some categories based on the vulnerability:

  • SQL injection
  • Code injection
  • Brute force
  • etc

Often there is a time lag between the scan and the actual exploit and a different IP is used for scanning and applying the exploit to avoid detection. This phase is about opening a channel for a higher privilege to step into the next phase of infection.


Detecting the actual exploit requires deep analysis of the malicious request at the application level. Web application firewalls and other application level solutions can help to detect and stop attacks at this phase. Some of the requests can be detected  using log analysis too, but this is not sufficient as the damage has already done by the time you detect the request. IP reputation can be useful to keep automatic exploit trials and 0-day attack requests away from your server.

Related BitNinja modules:

  • Web Application Firewall module
  • IP reputation




Botnet expansion software will infect some files on your system when they gain access to set up a backdoor they can use to come back anytime later, even if the original vulnerability they exploited have been fixed.

The classic backdoors were binary programs installed on servers, but in the age of cms systems and script languages it is enough to upload a script suitable for the server environment, like a PHP, Perl, Python or bash script, and hide it under an unexpected subdirectory.

On the first figure you can see the simplest backdoor written in php. The second is a more complex one, designed to avoid pattern based malware detection. This is a good example of self-mutating malwares. This is quite challenging for pattern based virus detection mechanisms to detect such malware.


Although there are mechanisms to keep attackers away, this is very challenging to stop the infection at this point as the attacker already has a door and gained more privilege, so it can upload content. Virus detection systems are working on this layer, and they are overvalued. You should take steps to prevent attackers from reaching this point. Anti-malware softwares and web application firewalls can help you at this phase.

Related BitNinja modules:

  • Web Application Firewall
  • Malware detection (releasing in early February)




After planting a backdoor by infecting your files or uploading new files, the botnet will register the new member of the botnet in their database. The basic idea behind a command and control server is to centralize the botnet, so the botnet master can send a command to all of the bots at the same time. This also helps the botmaster to hide his own identity by not connecting directly to the zombie servers, but sending commands indirectly using the c&c server as a proxy. This also means you can disarm an infection by blocking communication between your server and the c&c server.


You can block the c&c requests with analyzing and filtering the outgoing and incoming requests of your server. Outgoing requests are made by your server to ask the c&c server for commands, or as a result for the c&c request.

Related BitNinja modues:

  • IP reputation (we do malware analysis, and blacklist c&c server regularly)
  • Web Application Firewall
  • Outgoing web application firewall (coming soon)




After the botnet registered the newly planted backdoor, it is ready to use your resources. Often this is the first symptom a server owner can identify on their server. Users complaining about outgoing emails as your IP have been blacklisted? Your server is part of a botnet! Your datacenter suspend your server because of outgoing DoS attack? It was not your users! It is botnet activity. Have you received an incident report from us about many different incidents? You can be sure, your server has been infected.

There are many different cybercrime botnets can use your server for. Some example you might already experience on your server:

  • DDoS
  • Spam
  • Phishing
  • Identity steal
  • Proxy

There are services like outgoing spam filtration but they just treat the symptom, not the root cause!

Treat the symptoms:

  • Outgoing spam filter
  • Outgoing DoS mitigation


  • Outgoing WAF
  • IP reputation

Related BitNinja modules:

  • IP reputation
  • Outgoing WAF (coming soon)
  • Outgoing spam mitigation (coming soon)




A special case of resource usage is when your server is commanded by the botmaster to start scanning for new potential members, exploit the found vulnerabilities, infect the target and register in the bot army. Wow! Your server is not only used for cybercrime, but also for expanding a botnet!


By analyzing the outgoing traffic of your server you can find patterns and request according to malicious activity of botnet expansion. Also, if there are 2 BitNinja enabled servers, and one is attacking the other, they can share this information with each other and find the malicious script and command and control IP. We are still working on this solution.

Related BitNinja modules:

  • Outgoing WAF
  • Remote malware identification (coming soon)

BitNinja is an easy-to-use server security tool which protects your servers/websites against 99% of cyberattacks.

Also, you can check the presentation’s essence on Slideshare, feel free to download or share the presentation 

Two weeks ago, we made our first online presentation at a conference (Codemash, Ohio, about “Honeypots, they are not just for Winnie the Pooh anymore“. We are keen to know what you think about it, so please if you have a few minutes, check our short presentation.  The full video is available on Youtube

As we go down on the botnet expansion funnel, it is harder and harder to get rid of the attacker and the infection. Here, at BitNinja, we are working hard to implement a simple solution to cover all the 7 steps of the infection cycle and protect your server and users against cybercrime. This is how we would like to make the Internet a safer place.