A botnet is a collection of internet-connected devices, which may include personal computers (PCs), servers, mobile devices and internet of things (IoT) devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system.

Infected devices are controlled remotely by threat actors, often cybercriminals, and are used for specific functions, so the malicious operations stay hidden to the user. Botnets are commonly used to send email spam, engage in click fraud campaigns and generate malicious traffic for distributed denial-of-service (DDoS) attacks.

How botnets work

The term botnet is derived from the words robot and network. A bot in this case is a device infected by malicious code, which then becomes part of a network, or net, of infected devices controlled by a single attacker or attack group. A bot is sometimes called a zombie, and a botnet is sometimes referred to as a zombie army. Both names (bot and zombie) imply the mindless automatic propagation of something malicious (malware) by agents that are possessed in some way (by the threat actor).

The botnet malware typically looks for vulnerable devices across the internet, rather than targeting specific individuals, companies or industries. The objective for creating a botnet is to infect as many connected devices as possible and to use the computing power and resources of those devices for automated tasks that generally remain hidden to the users of the devices.

For example, an ad fraud botnet that infects a user's PC will take over the system's web browsers to divert fraudulent traffic to certain online advertisements. However, to stay concealed, the botnet won't take complete control of the web browsers, which would alert the user. Instead, the botnet may use a small portion of the browser's processes, often running in the background, to send a barely noticeable amount of traffic from the infected device to the targeted ads.

On its own, that fraction of bandwidth taken from an individual device won't offer much to the cybercriminals running the ad fraud campaign. However, a botnet that combines millions of devices will be able to generate a massive amount of fake traffic for ad fraud, while also avoiding detection by the individuals using the devices.

Botnet architecture

Botnet infections are usually spread through malware. Botnet malware is typically designed to automatically scan systems and devices for common vulnerabilities that haven't been patched in hopes of infecting as many devices as possible.

Once the desired number of devices is infected, attackers can control the bots using two different approaches. The traditional client-server approach involves setting up a command and control (C&C) server and sending automated commands to infected botnet clients through a communications protocol, such as Internet Relay Chat (IRC). The bots are often programmed to remain dormant and await commands from the C&C server before initiating any malicious activities.

The other approach to controlling infected bots involves a peer-to-peer network. Instead of using C&C servers, a peer-to-peer (P2P) botnet relies on a decentralized approach. Infected devices may be programmed to scan for malicious websites or even for other devices in the same botnet. The bots can then share updated commands or the latest versions of the botnet malware.

The P2P approach is more common today, as cybercriminals and hacker groups try to avoid detection by cybersecurity vendors and law enforcement agencies, which have often used C&C communications to monitor for, locate and disrupt botnet operations.

Botnet command and control architecture
This is a diagram of the botnet command and control architecture that shows how attacks flow from botmaster to target.

Examples of botnet attacks

The Zeus malware, first detected in 2007, is one of the best-known and widely used malware types in the history of information security (infosec).

Zeus uses a Trojan horse program to infect vulnerable devices and systems, and variants of this malware have been used for various purposes over the years, including to spread CryptoLocker ransomware.

Initially, Zeus, or Zbot, was used to harvest banking credentials and financial information from users of infected devices. Once the data was collected, attackers used the bots to send out spam and phishing emails that spread the Zeus Trojan to more prospective victims.

In 2009, cybersecurity vendor Damballa estimated Zeus had infected 3.6 million hosts. The following year, the Federal Bureau of Investigation identified a group of Eastern European cybercriminals who were suspected to be behind the Zeus malware campaign; the FBI later made more than 100 arrests in the U.S. and Europe.

The Zeus botnet was repeatedly disrupted in 2010, when two internet service providers (ISPs) that were hosting the C&C servers for Zeus were shut down. However, new versions of the Zeus malware were later discovered.

The Srizbi botnet, which was first discovered in 2007, was, for a time, the largest botnet in the world. Srizbi, also known as the Ron Paul spam botnet, was responsible for a massive amount of email spam -- as much as 60 billion messages a day, accounting for roughly half of all email spam on the internet at the time. In 2007, the Srizbi botnet was used to send out political spam emails promoting then-U.S. presidential candidate Ron Paul.

The botnet used a Trojan to infect users' computers, which were then used to send out spam. Experts estimated that the Srizbi botnet included approximately 450,000 infected systems.

The cybercriminals behind Srizbi used hosting provider McColo, based in San Jose, Calif., for the botnet's C&C infrastructure. The botnet's activity ceased when McColo, which was discovered to be hosting other botnet and spam operations as well, was shut down in 2008.

Gameover Zeus
Approximately a year after the original Zeus botnet was disrupted, a new version of the Zeus malware emerged, known as Gameover Zeus.

Instead of relying on a traditional, centralized C&C operation to control bots, Gameover Zeus used a P2P network approach, which initially made the botnet harder for law enforcement and security vendors to pinpoint and disrupt. Infected bots used the domain generation algorithm (DGA) to communicate.

The Gameover Zeus botnet would generate domain names to serve as communication points for infected bots. An infected device would randomly select domains until it reached an active domain that was able to issue new commands. Security firm Bitdefender reported two versions of Gameover Zeus, one that generated 1,000 new domains and the other that generated 10,000 new domains each day.

In 2014, international law enforcement agencies took part in Operation Tovar to temporarily disrupt Gameover Zeus by identifying the domains used by the cybercriminals and then redirecting bot traffic to government-controlled servers.

The FBI also offered a $3 million reward for Russian hacker Evgeniy Bogachev, who is accused of being the mastermind behind the Gameover Zeus botnet. Bogachev is still at large, and new variants of Gameover Zeus have since emerged.

An extensive cybercrime operation and ad fraud botnet known as Methbot was revealed in 2016 by cybersecurity services company White Ops. According to security researchers, Methbot was generating between $3 million and $5 million in fraudulent ad revenue daily last year by producing fraudulent clicks for online ads, as well as fake views of video advertisements.

Instead of infecting random devices, the Methbot campaign is run on approximately 800 to 1,200 dedicated servers in data centers located in both the U.S. and the Netherlands. The campaign's operational infrastructure includes 6,000 spoofed domains and more than 850,000 dedicated Internet Protocol (IP) addresses, many of which are falsely registered as belonging to legitimate U.S.-based ISPs.

The infected servers can produce fake clicks and mouse movements, as well as forge social media account logins to appear as legitimate users to fool conventional ad fraud detection techniques. In an effort to disrupt the monetization scheme for Methbot, White Ops published a list of the spoofed domains and fraudulent IP addresses to alert advertisers and enable them to block the addresses.

Several powerful, record-setting DDoS attacks were observed in late 2016, and they were later traced to a new brand of malware known as Mirai. The DDoS traffic was produced by a variety of connected devices, such as wireless routers and closed-circuit television (CCTV) cameras.

Mirai malware is designed to scan the internet for insecure connected devices, while also avoiding IP addresses belonging to major corporations, like Hewlett Packard (HP), and government agencies, such as the U.S. Department of Defense (DOD).

Once it identifies an insecure device, the malware tries to log in with a series of common default passwords used by manufacturers. If those passwords don't work, then Mirai uses brute-force attacks to guess the password. Once a device is compromised, it connects to C&C infrastructure and can divert varying amounts of traffic toward a DDoS target.

Devices that have been infected are often still able to continue functioning normally, making it difficult to detect Mirai botnet activity from a specific device. The Mirai source code was later released to the public, enabling anyone to use the malware to compose botnets by utilizing poorly protected IoT devices.

Vulnerable devices

The recent influx of cheap, internet-capable devices is vulnerable to botnet attacks. This is because these devices have either limited security features to begin with or because the security features are difficult to manage.

One common tactic of a botnet like Mirai is to target routers and IoT devices that have weak or factory default passwords and which can be easily compromised. Users may be unable to change the passwords for many IoT devices, which leaves them exposed to data breaches.

For some IoT devices, such as digital video recorders, the factory password is hardcoded in the device's firmware, and many devices cannot update their firmware over the internet. If the manufacturer cannot remotely update the devices' firmware to patch them or change their hardcoded passwords, then they may have to conduct a factory recall of the affected devices. Botnet malware may also scan for ineffective or outdated security products, such as firewalls or antivirus software.

In general, IoT devices are easier to hack because botnets rely on a large network of devices to complete their objective. More devices in the network means a larger attack surface for botnets. IoT devices cannot be managed, accessed or monitored in the same way that conventional IT devices can, which means that methods of updating and defending standard IT devices does not apply to newer IoT devices. The increase of devices, combined with inconsistent security features, is an ideal landscape for botnet propagation because botnets rely on a multitude of hackable devices to reach their objective.

Preventing botnet attacks

In the past, botnet attacks were disrupted by focusing on the C&C source. Law enforcement agencies and security vendors would trace the bots' communications to wherever the control server was hosted and then force the hosting or service provider to shut them down.

However, as botnet malware becomes more sophisticated and communications become decentralized, takedown efforts have shifted away from targeting C&C infrastructures to other approaches. These approaches include identifying and removing botnet malware infections at the source devices, identifying and replicating the P2P communication methods and, in cases of ad fraud, disrupting the monetization schemes, rather than the technical infrastructures.

How to detect and prevent botnet attacks

Botnet attacks frequently go undetected because they involve a wide network of devices that operate in the background of a user's device and occupy little bandwidth. They also target the wide variety of devices in IoT, which all vary in the ways that they interact with the physical world and in the ways in which users can secure them. There is no one-size-fits-all solution to botnet detection and prevention, but manufacturers and enterprises can start by incorporating the following:

  • Strong user authentication method.
  • Secure remote firmware updates. Only firmware from the original manufacturer should be permitted.
  • Secure boot. This ensures the device only executes code produced by trusted parties.
  • Advanced behavioral analysis. This detects unusual behavior in IoT traffic.
  • Automation, machine learning and artificial intelligence (AI). These enable response to new threats at digital speeds before they cause serious harm.

Unfortunately, botnet attacks are hard to detect on an individual level because devices continue to act normally while infected by botnet malware. It may be possible for the user to remove the malware itself but less likely for the user to be able to have any effect on the botnet as a whole. Many of the security measures mentioned above occur at the manufacturing and enterprise levels. For this reason, security measures need to be baked into many IoT devices from conception. Botnet attacks will likely continue to increase in sophistication, requiring cohesion and efficiency from IoT security solutions.

This was last updated in October 2019

Continue Reading About botnet

Dig Deeper on Malware, virus, Trojan and spyware protection and removal