Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Life Cycle of Web Server Botnet Recruitment

This blog post is an excerpt taken from the recently released Global Security Report (GSR) for 2013.

Over the course of the past year, my team has monitored and analyzed vast amounts of data within our Web honeypots and shared intelligence in our [Honeypot Alert] blog posts. In this blog post, we want to illustrate the most common methods botnet owners use to compromise websites and make them part of their army. The data in this section shows examples of code snippets and log file entries from real captured attacks.

Why target web servers vs. infecting end-user computers? There are a number of factors that make web servers attractive targets for botnet owners:
  1. Web servers are always online where as home computer systems are often shutdown when not in use. This means that the number of botnet systems in control at any one time is variable. This factors into the botnet owner's service offerings as they are often selling their botnet services and having a reliable, strong botnet is key.
  2. Web servers have more network bandwidth than home computer users. This essentially is a Quality of Service metric where commercial web servers are guaranteed specific amounts of network bandwidth usage whereas home computer users typically have much less bandwidth. Additionally, home user network traffic is oftentimes throttled which would make their DDoS attack traffic less.
  3. Web servers have more horse power then home computers. The number of CPUs, RAM, etc... means that commercial servers can generate much more network DDoS traffic then home computer systems.
  4. Web servers are less likely to be blacklisted by ISP vs. home computer systems. This means that web server botnet zombies will be online, sending traffic much longer than home computers.
Essentially, web server botnet participants are like "Super Soldiers" compared to normal grunts in the botnet army.


Step 1: IRC botnet instructs zombies to search for targets

First, attackers identify potential target sites. While it is possible to methodically scan network ranges looking for targets, it is more efficient to use data already collected by legitimate search sites (e.g., Google, Bing, Yahoo). By using their built-in search capabilities, botnet operators can instruct zombies (previously compromised websites or home computer systems) to send custom search queries. Here is an example of the IRC botnet help interface that lists command options:


Here is a listing of the top web vulnerabilities that are targeted by botnet attackers:


If the attacker wants to execute an RFI attack, it will execute this section of code:


Step 2: IRC botnet zombies conduct search engine queries

Zombie clients receive their search commands from the operator and use code to send requests to the various search engines. The results are then parsed to identify target websites that match the vulnerability search data.

Here is an example section of a Perl botnet client's code that lists various Search Engines to use:


And here is the section of code that sends the actual queries:


Step 3: IRC botnet instructs zombie to scan targets for vulnerabilities

Next, zombies verify the existence of the vulnerabilities in the target websites. Here is an example access_log entry: - - [06/Mar/2013:02:07:09 +0100] "GET /wp-content/themes/kingsize/timthumb.php HTTP/1.1" 404 318 "-" "Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" 

Step 4: IRC botnet instructs zombie to exploit vulnerability & install botnet client code

These malicious requests attempt to trick the Web application into downloading the code (hosted on a remote, attacker-owned site). If the Web application is vulnerable, it attempts to download the code. In most cases, simply downloading the code is enough, since the attacker can access the file by Web browser. - - [06/Mar/2013:02:07:11 +0100] "GET /wp-content/themes/kingsize/timthumb.php?src= HTTP/1.1" 404 318 "-" "Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"

In this case, the black.txt file is a Perl IRC botnet client script that executes and then logs the compromised web server into the attacker's IRC channel:


The botnet owner then continues this process over and over again amassing a huge army of compromised web servers.

Post-Recruitment Actions

There are many different tasks that a large botnet can perform for their operator, however the most prevalent one at this point is initiating DDoS attacks as part of either Hacktivist or For-Profit campaigns. Here is an example "HTTPFlood" section of code:



Latest SpiderLabs Blogs

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More

Pwning Electroencephalogram (EEG) Medical Devices by Default

Overall Analysis of Vulnerability Identification – Default Credentials Leading to Remote Code Execution During internal network testing, a document was discovered titled the “XL Security Site...

Read More

Hidden Data Exfiltration Using Time, Literally

I was looking at my watch last week and my attention was moved towards the seconds over at the right of the watch face, incrementing nicely along as you’d expect. Now, I don’t know if I’d just spent...

Read More