How bots and zombies work, and why you should care


We regularly write about “bots”, or “zombies,” malicious programs that let cybercriminals take over your computer from afar.

Some malware is pre-programmed for one specific criminal act, such as ransomware that scrambles your data and demands a fee to get it back.

But most bots or zombies are kitted out with a wide range of “features.”

Any of these can be controlled across the internet by a crook.

Common crimeware functions built into bots include:

  • Logging your keystrokes to steal online usernames and passwords.
  • Searching through your files for interesting data to steal.
  • Tricking you into clicking on ads to generate pay-per-click revenue.
  • Posting “recommendations” for your friends on your social networks.
  • Acting as a proxy, or relay, and charging rent to other crooks so they can use your internet connection to cover their tracks.
  • Mapping out your network from the inside to assist with future attacks.
  • Attacking other people’s websites, making you look like the crook.
  • Sending out spam, often in vast quantities.
  • Updating the running malware to add new features and stay ahead of your defences.
  • Downloading more malware at the whim of the crook who is in control.

→ The last function, downloading more malware, is the reason why it is difficult to give an exhaustive list of what might have happened to your computer while it was infected. The controlling crook, known as a bot-herder or botmaster, can add and remove other malware programs at will.

The reason why a zombie can do all of these things without you realising is, quite simply, that you could do any or all of them yourself if you wanted.

You can (and probably often do) send email; browse websites; use social networks; download programs; search your files; and more.

Of course, you don’t actually do these things: you invite software to do them on your behalf.

So, once a zombie is running on your computer – whether you were reckless, incautious or merely unfortunate to get infected – it, too, can do any of these things on your behalf, even though you never meant to invite it to do so.

How crooks control your computer

We still haven’t explained how a crook sitting on the other side of the world can choose which of these “features” to run, and when.

After all, you probably have a router and a firewall that block all inbound network connections by default.

If you start up a web server like IIS or a mail server like Exchange on your home network, the chances are that neither of them will work straight away: you will need to make a series of deliberate changes in your firewall configuration.

In short, outsiders can’t easily connect into your network by default, even if you want them to.

So, how do botmasters connect to your computer to control the malware on it?

The answer is staggeringly simple: the crooks don’t call you and tell you what to do.

You call them and ask for instructions.

Just like Windows Update, which connects to Microsoft’s servers to check for patches.

And just like your webmail, which gets pulled down by your browser when you’re logged in, rather than pushed to your computer by a mail-sending server.

A good firewall and anti-virus combination can still protect you, of course, by keeping track of what connections your computer makes, and which programs make them, and what gets downloaded.

But most remote control malware these days regularly “calls home” to fetch its instructions on what to do next, so blocking inbound network connections only is not enough to neutralise a running zombie.

Of course, the “call home” system means the crook can’t tell your computer to start spamming right now, but that is of little consequence, because most bots check in for new commands every few minutes anyway.

After all, if your computer is going to be sending 100,000 spams over the next 24 hours, those few minutes waiting to get started will make no difference to the outcome.

On the other hand, the crook doesn’t have to keep trying to contact your computer if he doesn’t get through the first time, for example because you’re asleep and so is your laptop.

The next time you turn it on, it will get busy with all its outstanding tasks automatically, including catching up on its backlog of spam sending.

Botnet Command-and-Control

The process by which bots fetch their what-to-do-next instructions is known as command-and-control (abbreviated CnC, or sometimes C2), and the places bots connect to are known, unsurprisingly, as CnC servers.

Bots that use the same CnC network, and can therefore be controlled simultaneously by a single botmaster, make up a botnet, short for “robot network.”

In years gone by, many botnets used an instant messaging protocol called IRC (Internet Relay Chat) for CnC, but that has fallen out of favour these days.

Few companies still use IRC, so many organisations have simply placed a blanket ban on it, forcing the botmasters to try different CnC tricks.

Unfortunately, there are lots of options, including the obvious and unexceptionable technique of using HTTP, the same protocol that regular websites use.

When your browser sends a web request, it might go something like this:

→ GET /index.html HTTP/1.1

→ Host:


← <html><body>

← This is a real web page

← </body></html>

A zombie, on the other hand, might do this:

→ GET /instructions HTTP/1.1

→ Host:





← E3=ibis@example.test

← SUBJ=Hey, $NAME, need cheap pills?

← TEXT=No prescription needed for our meds.

Or the zombie might use HTTPS, encrypted HTTP, making the content of its CnC messages harder to spot on the way out or back in to your network.

The important thing is that many bots use regular-looking network traffic in order to try to blend in with what regular users are doing with regular software.

We’ve even seen bots that read their instructions from special Twitter messages, or from posts on the social network Reddit.

What to do?

Defence in depth, both in your anti-virus and your firewall, can still protect you, even though no inbound connections are used.

For example, to function fully, a zombie needs to:

  • Infect your computer.
  • Connect to its CnC servers.
  • Download its instructions.
  • Transmit its results, such as emailing spam or sending back stolen data.

If you can block any or all of these, you will limit the crooks, or thwart them entirely.

Clearly, however, the best protection of all is not to get infected in the first place.

And if you do get infected, the best defence is to find and eliminate the zombie malware altogether.

In other words, the best way to kill a botnet is by killing the bots themselves.

So why not Kill a Zombie today?

Kill a Zombie with the free Sophos Virus Removal Tool

This is a simple and straightforward tool for Windows users. It works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

It does its job without requiring you to uninstall your incumbent product first. (Removing your main anti-virus just when you are concerned about infection is risky in its own right.)

Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Other free tools to protect you from bots

Sophos UTM Home Edition

All the features of our commercial UTM for use on a spare computer or in a virtual machine. You get web filtering, email filtering, virus scanning, intrusion prevention, CnC traffic detection, a web application firewall and a full-on Virtual Private Network (VPN) solution for up to 50 computers or mobile devices at home.

Sophos Anti-Virus for Mac Home Edition

A standalone version of our business grade anti-virus for OS X. You get real-time (on access) malware prevention, web filtering, scheduled scans, malware cleanup and more, plus it keeps itself up-to-date automatically.


Via: sophos

Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *