🤖 Botnets & Command-and-Control (C2)

Learn how attackers remotely manage large numbers of infected systems and why command-and-control infrastructure is critical to modern malware.

🚨 Incident Report

A security team notices:

• Unexpected outbound traffic
• Periodic external connections
• High network utilization

The infected devices appear normal.

However, they are secretly communicating with an external controller.

The organization may be part of a botnet.

📖 What Is A Botnet?

A botnet is a collection of compromised devices controlled remotely by an attacker.

Many Infected Devices
One Coordinated Network

Each compromised device is commonly referred to as a bot.

🏗 Botnet Architecture

Commands flow from the controller to infected systems.

📡 What Is Command-and-Control?

Command-and-Control (C2) refers to the communication mechanism used to manage infected systems.

The purpose is to:

• Send instructions
• Receive status updates
• Coordinate actions
• Maintain control

Without C2 communication, many botnets become far less effective.

🎯 Common Botnet Objectives

• DDoS Operations
• Spam Distribution
• Credential Collection
• Cryptocurrency Mining
• Malware Distribution
• Proxy Services

Different botnets serve different criminal purposes.

🌐 Why IoT Devices Matter

Modern botnets frequently target:

• Cameras
• Routers
• Smart Devices
• Network Appliances

These devices are often:

• Poorly maintained
• Rarely updated
• Always connected

📨 Bot Communication Patterns

Security teams often look for:

• Repeated outbound connections
• Unexpected destinations
• Regular communication intervals
• Abnormal DNS activity

Communication behavior is often more revealing than the malware itself.

⚠ Indicators Of Compromise

• Unknown network connections
• Unusual DNS requests
• Unexpected bandwidth usage
• Unknown background processes
• Repeated outbound communications

Botnet infections often leave network-based clues.

🛠 Analyst Toolkit

• Wireshark
• TCPView
• Sysmon
• Zeek
• SIEM Platforms
• EDR Solutions

Network visibility is essential when investigating botnet activity.

🛡 Defensive Strategies

• Network Monitoring
• Endpoint Protection
• Patch Management
• DNS Security Controls
• Segmentation
• Threat Intelligence

Stopping communication often limits botnet effectiveness.

🎓 CEH Exam Focus

• Botnets are networks of compromised systems
• C2 infrastructure manages infected devices
• IoT devices are common targets
• Network monitoring aids detection
• Communication patterns are important indicators

🏆 Key Lesson

Most malware wants access.

Botnets want scale.

One Device Is An Infection
Thousands Become Infrastructure

⚡ Fileless Malware

Learn how modern malware operates with minimal files on disk and why behavioral detection is becoming more important than traditional signature-based detection.