Recently, the cyber-attacks using botnets are increasing. Attackers can excute the DDoS attack more easily by using tools, such as Netbot which is a kind of botnet, even if they do not have expert knowledge. Besides, Netbot includes functions that enable attackers to control and monitor compromised systems remotely, as well as to launch DDoS attacks. Therefore, it can be led to secondary damages because attackers illegally get the private information of users and data stored in the computer. Actually, many web-sites such as game item trading sites, internet portals and internet banking web-sites in Korea experienced DDoS attacks since 2007. In this paper, in order to detect the Netbot in an early stage and to reduce the damages, we constructed an environment for the Netbot analysis. In addition, we analyzed the changes of files, registries and traffics as well as malicious behavioral patterns of Netbot in zombie computers. We also proposed a framework to detect Netbot agents with these analyzed results.