Botnets actually started out as legitimate networks of Internet Relay Chat (IRC) clients connected through scripts named bots. The purpose was to keep the IRC channels open while preventing unwanted users from gaining access to the IRC network. Criminals created scripts similar to the IRC bot in that they are designed to have computers communicate with each other for creating networks to coordinated criminal activity. Since the first illegal botnets were similar to legal botnets the name stuck.
Botnets are typically deployed to computers after the criminal has gained control through a worm, Trojan horse program, or back door access program. The computers compromised with one of these malicious software packages are referred to as bots. The criminal with control over the botnet communicates with the bots using standard network protocols, controlling the activities of the bot.
While botnets originated as useful code referring to a group of computer linked together in an IRC network the term is now used to mostly refer to “zombie computers” infected by malicious software to be controlled by a criminal. The term “zombie computer” is used to refer to members of botnets because they are unsuspectingly, or mindlessly, performing task as directed by the bot master. The criminal who sent the bot net is referred to as a “bot herder or “bot master”. This criminal controls the collection of bots remotely by passing commands through a command and control (C&C) server. Typically there will be several C&C servers distributed across many locations.
Botnets communicate across a network using an encryption scheme determined by their creator. These unique encryption schemes make it very hard to detect the botnet as well as making it hard to break into the botnet. The bot will also use a covert channel to communicate to the C&C server. This method of stealing computing resources through implanting bots on a multitude of computers thus creating a botnet is sometimes referred to as “scrumping.” Remember what I said earlier about amassing computer resources being worth tens of millions of dollars to cyber-criminals. This is what botnets do, they allow criminals to amass computing resources by linking a multitude of computers together through a botnet.
To establish this valuable botnet a bot herder will typically use a worm to infect unsuspecting computers. The worm will carry as its payload the bot. The bot on the infected computer will report back to the C&C server. The bot herder will keep track of the amount of infected bots at his command. Someone will then hire the bot herder paying a fee based on the type of work to be done, and the amount of resources the bot herder has at his command. For this example let us use a spammer. The spammer will give the bot herder the messages they want sent. Using the C&C server the criminal boss (bot herder) will instruct his henchmen (bots) to send out spam messages.