What is a botnet?

Image of small robots connected to represent a botnet
(Image credit: Shutterstock)

Botnets were originally invented as simple docile systems, designed to run tasks repeatedly. They were so good at it, however, that they soon quickly became a technology of interest for the wrong types of people.

Essentially, botnets (the malicious ones, at least) are made up of an army of infected machines and they grow by infecting new targets, such as PCs, smartphones, tablets, and all kinds of internet-connected devices - from smart doorballs to coffee machines.

The earliest uses of botnets can be traced all the way back to before the millennium, and they've changed significantly in the years that followed. What we know as botnets today are far more sophisticated, and dangerous.

There are countless computers around the world that are currently under botnet control, with thousands of operations still active despite numerous and successful takedowns.

What we've described above, however, doesn't even scratch the surface of what a botnet is, nor what it's capable of. For a full, in-depth look at the technology, we've rounded up all you need to know about them.

Not all botnets are bad

DDoS attack

Now, as mentioned above, they're not inherently bad, often they used to perform much of the background work and repetition that goes into the delivery of online services.

The problem came when someone worked out a way to mobile these types of networks against other ones. From then on, countless botnets have emerged to cause havoc for a relatively low cost attack.

The purpose of a botnet is to self-propagate, spreading to machines and infecting them with a Trojan that typically sits idle and remains hidden until activated. Once switched on, an infected system will go to work in tandem with other devices on the bot network, pooling resources into a single action.

What that action is depends on the purpose of the botnet. It's common for criminals to use the processing power of an infected machine to launch distributed denial of service (DDoS) attacks against other networks.

Yet most the of work performed by botnets is behind the scenes. They're often deployed to churn out spam emails to millions of users, usually laced with Trojans designed to ensnare new devices. Botnets can even be hired to bombard a website with traffic to artificially inflate a site's visitor rate.

Analysing the economic impact of botnets

Historically, botnets targeted online financial institutions as that's where the money is at. Today, currencies have spread to all corners of the internet, making every business a target.

Business intelligence is one crucial, but previously overlooked area for organisations. Now, firms are finding more utility in analytics tools than ever before and certainly rely on such insights to remain competitive.

Botnets armed with an array of weaponry are wreaking havoc with such data, rendering much of it meaningless and causing harmful economic repercussions.


The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management


Web-scraping bots can copy copyrighted or trademarked data and reuse it on other websites. Two versions of the content diminish your site's search authority, negatively affecting SEO rankings.

Disrupted denial-of-service (DDoS) attacks can disrupt applications and networks, making them unavailable and creating false leads which affect traffic metrics. Poor marketing decisions may be made as a result.

Advertising fraud occurs when bots click on advertisements. Consequently, data reported to the advertisers is skewed, costing money for non-human clicks leading to no additional revenue.

Customer trust can deteriorate as inboxes are filled with unwanted mail, fake social accounts relentlessly pushing biased views, and controversy is stirred through comments and vote-rigging. Frustrated customers are usually not long-term customers.

Whether in the form of an unresponsive website, traffic being redirected to a competitor, sales chasing false leads or paying for more ad clicks, botnets cause a failure in business intelligence that directly correlates with a negative economic impact on the organisation.

Where did botnets come from?

It's unsurprisingly difficult to pinpoint the moment where botnets became a reality, but Sub7 and Pretty Park, a Trojan and a worm, are seen as malware that helped to fuel the rise of the botnet.

They were spotted just before the turn of the millennium and introduced the concept of an infected machine connecting to an internet relay chat (IRC) channel to listen for malicious commands.

One of the next significant moments in the botnet timeline was the emergence of the Global Threat bot, otherwise known as GTbot, in 2000. This was a new breed of botnet, capable of running custom scripts in response to IRC events. It also had access to raw TCP (transmission control protocol) and UDP (user datagram protocol) sockets, so it was perfect for simple denial of service (DDoS) attacks.

Another significant development came in 2002 when Agobot emerged. This introduced the concept of a staged attack, with payloads delivered sequentially. An initial attack would install a back door, the second would try to take out antivirus software and the third blocked access to security vendor websites.

Bredolab, one of the largest botnets ever recorded, emerged in 2009 with an estimated 30 million bots under its control. A network of this size was capable of sending out 3.6 billion malicious spam emails every day.

Then, in 2016, we saw the rise of Mirai, a notorious botnet that's widely believed to have been behind the attack on the Dyn network in October of that year, which saw Spotify, Netflix, Amazon and others taken offline. Since then the botnet has evolved; in March 2019, for example, a new Mirai variant that targeted vulnerable business devices was uncovered.

Social botnets

Hackers have been forced to evolve the way they build botnets over the years, most notably in the early 2000s when a shift was made from IRC communications to peer-to-peer.

IRC communication had proved highly effective, however, security researchers soon found they could simply blacklist the IRC command and control (C&C) to kill off the botnet.

Hackers, being the savvy denizens of the virtual world that they are, looked to P2P networks instead to decentralise the command and control infrastructure. In the case of the Waledac botnet, zombie machines were used to provide a P2P network that effectively hid the key servers. This effectively made it near impossible to disrupt their operations.

Future botnets

As botnets evolved, so did their ability to disrupt. The Cutwail botnet, active in 2007, introduced further camouflaging techniques and has made a significant mark in the growth of the botnet industry.

Cutwail included the concept of backup connections, allowing each bot to cryptographically generate alternative hostnames for their command and control servers on a daily basis.

The Conficker botnet, which appeared in 2008, adopted a similar technique and was capable of generating 50,000 alternative names every day.

Continual developments such as these have helped cyber criminals conceal their botnet activity, leaving law enforcement at a loss.

Taking on the bad botnet

It has not been a completely easy ride for cyber criminals, however, and there have been some major busts in recent times.

The McColo takedown in 2008 was one of the most famous. The hosting firm was taken offline after a Washington Post reporter contacted two of the company's internet service providers to warn them of malicious activity going through McColo servers.

The provider was found to be hosting command and control servers for a number of big-time botnets, including both Rustock and Cutwail.

When McColo was pulled off the internet that November, a global drop in spam levels of almost 80% was reported. However, spam would soon return to its previous prominence soon enough.

More recently, following an investigation by the FBI, the mastermind by the Kelihos botnet was arrested in 2017 while holidaying in Spain. Russian hacker Peter Levashov was thought to have orchestrated the activities of as many as 300,000 enthralled computers.

The dismantling of the network was only made possible thanks to fresh powers granted to the FBI allowing it to remotely access computers that it's unable to physically confiscate.

Perhaps the largest botnet takedown took place in December 2017, when the two-million strong Andromeda army was silenced by a joint task force comprising agents from the FBI, Europol's European Crime Centre, Eurojust, the Joint Cybercrime Action Task Force, as well as representatives from private organisations such as Microsoft.

The Andromeda botnet was thought to have involved in the propagation of at least 80 different families of malware with a global reach, making it one of the most complex takedown operations in recent times.

How do you protect yourself?

Woman holding a smartphone and installing an antivirus on her laptop

The most important, and perhaps obvious step all users should take is making sure they have the latest security software installed on a PC or network. Most security vendors today have some sort of built-in malware detection and removal tools as standard and should be switched on at all times.

But basic security hygiene is also highly recommended. Always be vigilant to emails that are from outside your organisation or from those you don't know, particularly if they arrive with attachments. This is a favoured way to spread Trojans and it's possible your system won't pick up on the infection.

It's also highly recommended that you keep all your devices updated with the latest security patches. These are significantly more important than new feature patches, as they tend to plug system holes that are either being actively exploited by hackers or are likely to be in the near future.

Generally, botnets favour those targets that are easy to reach, and quick to infect, and even basic security measures are usually enough to thwart an attack.

Like most forms of cyber crime, however, bringing an end to botnets is inconceivable.The real task is to simply try to come out victorious in each battle, all the while accepting the fact that the war can never be won.

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.