How botnets expand and how to protect against them

A botnet is a group of infected computers (aka bots or zombie machines) controlled by a hacker, the botmaster. Botnets are a major threat for every server. They are the fundamentals of the cybercrime in the dark industry of hackers. Zombie machines can be personal computers, mobile devices or even servers.

Today we will focus on botnets formed by infected linux servers. Server based botnets are especially valuable for the bad guys as servers have typically high amount of various resources like cpu, memory, and what is the most important, internet bandwidth with trusted and in many cases unrestricted upload traffic capacity. Servers typically operate 24 hour a day, 7 days a week and have at least one fixed IP address. In many cases servers already have every component for the hackers to operate. As there is a huge demand for high capacity botnets in the dark markets for different purposes like sending spams, different DoS attacks and similar cybercrimes there are more and more botnet infections that servers have to face.

Every botnet has some common characteristics, the building block of the system. The basic blocks are zombie machines, a command and control (C&C) node and a communication link between the nodes and the C&C node. This architecture is called a centralized botnet and this is still the most popular architecture. There are other ones out there like peer to peer setups, but we won’t cover them in this article.

So how do the bad guys create their large botnets? There are 6 steps every zombie server goes through in the process of joining a botnet and operating in it.


The first step of finding new members for a botnet, or even finding the very first member is scanning for vulnerable hosts. The system scans for vulnerable servers. This process is specialized for scanning for a specific vulnerability, or a set of vulnerabilities the botnet is able to exploit. For example a very common scan is chasing for known PHP CMS systems like WordPress, Joomla and Drupal. If these CMS systems and especially their themes or plugins are not updated regularly, then they can have many remote vulnerabilities and can be easily misconfigured. It is quite easy to scan a server for these CMS systems.

In the example below you can see such a scan detected by BitNinja’s log analysis module. It is vital to set up a defense line at this stage as this is an early stage and relatively easy to stop attackers. Detection is easy, but it’s also to generate false positives resulting in blacklisting of innocent IPs at this point.

That is why BitNinja first uses greylisting (read more about greylisting on our doc site: instead of blocking these addresses. This way false positives can be eliminated. Other scans target specific software versions installed on the server to detect vulnerabilities. Setting up honeypot traps is also very effective at this stage. Modern botnets use many different bots to scan a particular server. Sometimes when large botnets expand, they only do one scan request per IP.

This is called distributed scanning. By using distributed scanning botnets can avoid being detected by simple log analyzers. The only way to fight against the botnets is using a distributed protection system (like BitNinja).


Using honeypots and log analysis is useful and effective in this phase. Detecting distributed scans requires a distributed and interconnected defense system.

Related BitNinja modules/functions

  • port honeypots
  • greylisting
  • log analysis
  • distributed log analysis
  • web honeypot


After the identification of a vulnerability, the process steps into the next phase of exploiting the vulnerability. This phase is about actually applying the attack and opening a door into your system. There are many different kinds of exploits attackers can use. Some categories based on the vulnerability:

  • Remote Code Execution (RCE)
  • SQL injection
  • Code injection
  • Brute force.

Often there is a time lag between the scan and the actual exploit and different IPs are used for scanning and applying the exploit to avoid detection. This phase is about opening a channel for a higher privilege to step into the next phase of infection. Determined hackers also use hybrid attacks. In the first step the botnet creates a list about the vulnerable websites. In the second step a human makes the exploitation because if they do it it has much higher success rate. Following the human exploitation the attack is automated again.


Detecting the actual exploit requires deep analysis of the malicious request at the application level. Web application firewalls and other application level solutions can help to detect and stop attacks at this phase. Some of the requests can be detected  using log analysis too, but this is not sufficient as the damage has already done by the time you detect the request. IP reputation can be useful to keep automatic exploit trials and 0-day attack requests away from your server.

Related BitNinja modules

  • Web Application Firewall
  • IP reputation


Botnet expansion software will infect some files on your system when they gain access to set up a backdoor they can use to come back anytime later, that can be used for remote access at a later date.

The classic backdoors were binary programs installed on servers, but in the age of CMS systems and script languages it is enough to upload a script suitable for the server environment, like a PHP, Perl, Python or bash script, and hide it under an unexpected subdirectory.

On this figure you can see the most simple backdoor written in PHP.

This second is a more complex one, designed to avoid pattern based malware detection, a good example of obfuscated malware. It is quite challenging for pattern based virus detection mechanisms to detect such malware. This is why we developed a new (patent pending) detecting method which differs from any other solution on the market. The new method is based on the structure of the source code.

First BitNinja detects if the obfuscation method was used in a file. The system doesn’t determine yet whether the obfuscated code is a malware or not. In order to figure it out, the code needs to be run to see its purpose but running a potential malicious code on your server is risky. 

The second step is to run the code in a sandbox farm and inspect the behavior of the code (e.g. generated network traffic, newly created files, etc).
We can find out from these behavior signatures if the code was legitimate or malicious. Quarantining all the obfuscated files is not the best idea because several valid files use obfuscation techniques too.
By running the code in a sandbox, Bitninja will try to deobfuscate the code and after that regular matching mechanisms can be used to find out the intention of the code.


Although there are mechanisms to keep attackers away, this is very challenging to stop the infection at this point as the attacker already has a door and gained more privilege, so it can upload content. Virus detection systems are working on this layer, and they are overvalued. You should take steps to prevent attackers from reaching this point. (Anti-malware softwares and web application firewalls can help you at this phase.)

It is really important to react as soon as we can if we find a malware. We have to find the vulnerability and virtual-patch it quickly. This is the reason why we developed the BitNinja Defense Robot. A comprehensive, automated tool, which does the aforementioned task in less than a second. It is the only one real-time malware root cause analysis solution in the world. This module identifies backdoors and attacking IPs at each malware upload attempts. For SMEs this would be insolvable because it requires 24/7 charge. But with BitNinja it doesn’t require any manual intervention. The Defense Robot auto-greylists the attack source and sets up customized WAF patterns, so the hacker doesn’t have the opportunity to upload a malware again. If it finds a suspicious malware, it validates the malware automatically. That means we can easily discover the original malware, determine the exact intrusion points and fix them.

Related BitNinja modules

  • Malware detection
  • Log Analysis
  • IP reputation
  • Web Application Firewall


After planting a backdoor by infecting your files or uploading new files, the botnet will register the new member of the botnet in their database. The basic idea behind a command and control server is to centralize the botnet, so the botnet master can send a command to all of the bots at the same time. This also helps the botmaster to hide his own identity by not connecting directly to the zombie servers, but sending commands indirectly using the C&C server as a proxy. This also means you can disarm an infection by blocking communication between your server and the C&C server.


You can block the C&C requests with analyzing and filtering the outgoing and incoming requests of your server. Outgoing requests are made by your server to ask the C&C server for commands, or as a result for the C&C request.

Related BitNinja modules

  • IP reputation (we do malware analysis, and blacklist C&C server regularly)
  • Web Application Firewall
  • Outbound WAF (coming soon)


After the botnet registered the newly planted backdoor, it is ready to use your resources. Often higher data traffic is the first symptom a server owner can identify on their server. Users complaining about outgoing emails as your IP has been blacklisted? Your server is part of a botnet! Your datacenter suspended your server because of an outgoing DoS attack? It was not your users! It is botnet activity. Have you received an incident report from us about many different incidents? You can be sure, your server has been infected.

There are many different cybercrime botnets can use your server for. Some example you might already experience on your server:

  • DDoS
  • Spam
  • Phishing
  • Identity steal
  • Proxy

There are services like outgoing spam filtration but they just treat the symptom, not the root cause!

Treat the symptoms:

  • Outgoing spam filter
  • Outgoing DoS mitigation


  • Outbound WAF
  • IP reputation
  • DoS Detection

Related BitNinja modules

  • IP reputation
  • Outbound WAF (coming soon)
  • Outgoing spam mitigation (coming soon)
  • DoS Detection


A special case of resource usage is when your server is commanded by the botmaster to start scanning for new potential members, exploit the found vulnerabilities, infect the target and register in the bot army. Wow! Your server is not only used for cybercrime, but also for expanding a botnet!


By analyzing the outgoing traffic of your server you can find patterns and requests according to malicious activity of botnet expansion. Also, if there are 2 BitNinja enabled servers, and one is attacking the other, they can share this information with each other and find the malicious script and command and control IP. We are still working on this solution.

Related BitNinja modules

  • Outbound WAF (coming soon)
  • Remote malware identification (coming soon)

BitNinja is an easy-to-use server security tool which protects your servers/websites against 99% of cyberattacks.

As we go down on the botnet expansion funnel, it is harder and harder to get rid of the attacker and the infection. Here, at BitNinja, we are working hard to implement a simple solution to cover all the 7 steps of the infection cycle and protect your server and users against cybercrime. This is how we would like to make the Internet a safer place.