Nathan Koch

Major Studio I: Ideas in Form Research

Saturday, September 9th 2017

I am studying the architecture and topology of modern botnets, because I want to understand how they are organized and controlled, in order to suport visualizing bonnet structure and infection flow.

Broad Research


  1. Bots and Botnets—A Growing Threat A breakdown of what bots are, how they work, what they usually do, and efforts to protect yourself.
  2. What is a Botnet? Another breakdown of Botnets at a high level. Has some interesting numbers on large botnets making money from bitcoin mining and ad fraud.

Botnet Architecture

  1. Botnet Communication Topologies.pdf) A detailed breakdown of how different Botnet topologies affect their performance, fragility and resale value.
  2. The Kelihos Botnet A technical analysis of particular botnet, including network topology and reverse-engineered software architecture.

Who runs Botnets?

  1. Infiltrating a Botnet A summary of conversations between a security researcher and a "Botmaster."
  2. Mirai botnet creator unmasked as DDOS protection developer tempted by the dark side The owner of a security company hides behinds online aliases while creating famous botnet software.


  1. The Biggest Cybersecurity Disasters of 2017 so far. A summary of recent cyberattacks and the types of exploits that gave hackers access.
  2. A DIY Guide to Feminist Cybersecurity A guide to all the specific tools involved in the encryption and obfuscation of personal data and communications, especially for those at risk from trolls or their own governments.

Network Topology

  1. Network Topologies A breakdown of the pros and cons of various network topologies, such as bus, ring, and star.
  2. Medium Enterprise Design Profile (MEDP)—Network Security Design This article gives a sense of the physical and virtual complexity behind enterprise networks.


  1. Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps An as-yet-unseen new form of malware discovered by a security researcher.
  2. You’ll never guess where Russian spies are hiding their control servers This malware reads encoded messages posted publicly in social media to command and control it.

Primary and Secondary Sources (Summarized)

Botnets are assembled from three primary components: the bots themselves, a botmaster/bot herder, and a command and control channel for the botmaster to manipulate the bots. Botnets are used primarily in situations where the number of individual bots is a strength, such as DDoS attacks, spamming, and click fraud. Botnet architectures are diverse, ranging from centralized, to hybrid, to decentralized. Although bots perform HTTP requests much web browsers, its often possible to detect their presence by incomplete or malformed requests. [1]

Bot agents are distinguishable from common malware through their connection to command and control servers. Botnet operators choose different network topologies based on a combination of risk, cost, speed, and the financial purpose of the botnet. Centralized botnets are more easily stopped, but faster, while decentralized botnets (whether hierarchical or random) are often slower as commands propagate across the network. Through "fluxing" domain and IP address information, botnets of any topology can more easily hide command and control information from defenders. Botnet operators are moving toward more decentralized architectures as they continue solve the performance problems traditionally associated with them. [2]

After analyzing a number of recent peer-to-peer botnet, this team developed a new form of hybrid botnet. Their intent was to create a network that was robust, capable of losing bots to attackers, and difficult for defenders to detect. Using a hybrid peer-to-peer architecture consisting of "servent bots" and "client bots" the team was able to create a prototype that was very difficult to shut down. Through both infecting and re-infecting hosts, the botnet structure and metadata is more obfuscated to defenders. [3]

One possible future structure of botnets is new decentralized mobile botnet that has no single point of control. These bots are capable of communicating via SMS, Bluetooth and HTTP. The botnet's topology is complex, with "cluster head bots" forwarding commands and "receiver bots" acting on those commands. This is possible because each bot contains a list of the other mobile nodes on the botnet. The team successfully created a botnet on Android phones using this topology, which successfully collected and shared GPS data on a local network. No anti-virus software was capable of detecting these bots. Although just a prototype, it offers insight into a future of mobile distributed botnets. [4]

Primary Research

As part of this project I also performed primary research on botnets of my own.

I trawled a few hacker forums reading about botnet approaches, and read some "copypasta" about botnet organization and software architecture. primary

I also experimented with building my own botnet from some software I got ahold of on the internet. It didn't work, but I did get some interesting insights into one possible software architecture for botnets. primary primary


I took my findings from all this botnet research and distilled it down to a handful of slides.


  1. Rahimipour, Maryam et al, "A Survey on Botnets and Web-based Botnet Characteristics." IJCSET (2014): 282-286.
  2. Ollmann, Gunter, "Botnet Communication Topologies: Understanding the intricacies of botnet Command-and-Control." Accessed September 9, 2017.
  3. Wang, Ping et al, "An Advanced Hybrid Peer-to-Peer Botnet." IEEE Transactions on Dependable and Secure Computing (2010): 113-127
  4. Pieterse, Heloise ad Olivier, Martin, "Design of a Hybrid Command and Control Mobile Botnet." Paper presented at International Conference on Information Warfare and Security, United Kingdom, July 2013.