A clear distinction between a bot agent and a common piece of malware lies within a bot’s ability to communicate with a Command-and-Control (CnC) infrastructure. CnC allows a bot agent to receive new instructions and malicious capabilities, as dictated by a remote criminal entity. This compromised host then can be used as an unwilling participant in Internet crime as soon as it is linked into a botnet via that same CnC.

The criminals actively controlling botnets must ensure that their CnC infrastructure is sufficiently robust to manage tens-of-thousands of globally scattered bot agents, as well as resist attempts to hijack or shutdown the botnet. Botnet operators have consequently developed a range of technologies and tactics to protect their CnC investment. This paper reviews the tactics commonly employed by botnet operators to maintain control of their botnets and the impact of these tactics on standard network-blocking protection stratagems.