Not all of the zombie network to the organization the same way. This is the conclusion of a report requested Damballa the main structure of the classification. It seeks to explain why certain type of blocking and filtering, will some zombies, and not others.

"The threat is often mixed actor said about the flag," Gunter Ollmann, research vice president, Damballa, enterprise security company, which specializes in ease zombie, "but the label that there is no task force, responsible for the maintenance of enterprise. Topology to explain (and their strengths and weaknesses) of these groups can better visualize the threat.

Star structure is the most basic procedures, and provides direct communication between the individual command and control (CNC) server. It can be displayed in a star-shaped pattern. However, a direct communication between the NC server botnet to create a single point of failure. Remove the NC server and the zombie due. Ollmann said that Zeus zombie self-help kits, out of the box are the star map, but often botmasters upgrade, making it a multi-server.

"In most cases, in particular, botnets can be categorized as members of NC only topology - but the county is often the master of the zombie network, they choose which one."

Multi-server is a logical extension of the structure of the use of a number of stars NC server roaming individual feed instructions. Such a design, said Ollmann, to provide flexibility should be a NC server. It also requires advanced planning to implementation. Srizbi is a typical example of multi-server topology zombie NC.

This means that no one knows the location of zombies, and any other procedures, are often difficult to gauge security researchers the overall size of the zombie network. Such a structure, said Damballa, the most appropriate part of the lease or sale to others zombies. Disadvantage is that the instructions take longer to achieve its objectives, so that certain types of attacks can not be coordinated.

Random is the opposite of the hierarchical structure. The zombie network is decentralized and the use of multiple communication paths. The disadvantage is that each robot can be cited in other regions, and often lags behind the cluster of communication between the roaming, again there has been some attacks can not be coordinated. Damballa storm may be suitable to the random mode Malware botnet shut down Conficker.

The report pointed out that the zombie network topologies: understanding the complex botnet command and control, but also different ways to the top of the rapidly changing, the method is a numerical control to change its domain name server on the fly. Damballa found the flow domain, the process of change and distribution of a number of fully qualified domain name to a single IP address or CNC infrastructure, is the most resilient to the discovery and mitigation.