009
Botnets are Everywhere,
but How Critical is the Situation?
It is estimated that up to one quarter of all personal
computers connected to the Internet may be part
of a botnet
12
. Our research shows that in 63% of the
organizations we scanned, at least one bot was detected.
Most organizations were infected by a variety of bots.
How Botnets Work
A botnet typically involves a number of computers
that have been infected with malicious software. These
computers then establish a network connection with a
control system or systems known as Command & Control
(C&C) servers. When a bot infects a computer, it takes
control of the computer and neutralizes the anti-virus
defenses. Bots are difficult to detect because they hide
OF THE ORGANIZATIONS
IN OUR RESEARCH WERE
INFECTED WITH BOTS
63
%
Number of Hosts Infected with Bots
(% of Organizations)
48
%
1-3 hosts
18
%
4-6 hosts
10
%
7-9 hosts
18
%
10-21 hosts
6
%
More than 21 hosts
within a computer and change the way they appear to anti-
virus software. The bot then connects to the C&C center
for instructions from the cybercriminal who initiated
the attack. Many communication protocols are used for
these connections, including Internet Relay Chat (IRC),
HTTP, ICMP, DNS, SMTP, SSL, and in some cases,
custom protocols created by the botnet software creators.
S
p
a
m
,
V
i
r
u
s
,
D
D
o
S
Criminal
“Bot Herder”
Bot
Command
& Control
Computers
on the
Internet
Chart 2-A
Source: Check Point Software Technologies
