What is a botnet?

An in-depth look at the evolution of this highly effective method of cyber crime

Botnets came from humble beginnings, starting life as nothing more than docile systems that were designed to run repetitive tasks. The problem is, they were so good at what they did that it didn't take long for the technology to fall into the wrong hands.

Malicious botnets are essentially made up of an army of infected machines, which grows by infecting new targets, be it PCs, smartphones, tablets or Internet of Things (IoT) devices, using drive-by downloads or trojan horses. 

The earliest iterations can be traced back to before the turn of the millennium, but since they've undergone several stages of evolution, becoming ever more sophisticated and dangerous. There are an enormous amount of computers currently under botnet control across the globe, and thousands of operations remain active despite numerous successful takedowns.

But that doesn't even scratch the surface of what a botnet is, nor what it's capable of. We've rounded up you need to know about the vicious attackers that have infected millions of systems worldwide.

The workhorses of the internet

DDoS attack

Botnets are a collection of interconnected computers that support the everyday running of the internet.

They're not inherently malicious systems, and in fact perform much of the background work and repetitive tasks that are needed to deliver services online.

The problem came when someone figured out how to mobilise these types of networks against others. Since then, numerous botnets have emerged to deliver devastating yet rudimentary low-cost attacks.

The purpose of a botnet is to self-propagate, spreading to machines and infecting them with a Trojan that typically sits idle and remains hidden until activated. Once switched on, an infected system will go to work in tandem with other devices on the bot network, pooling resources into a single action.

What that action is depends on the purpose of the botnet. It's common for criminals to use the processing power of an infected machine to launch distributed denial of service (DDoS) attacks against other networks.

Yet most the of work performed by botnets is behind the scenes. They're often deployed to churn out spam emails to millions of users, usually laced with Trojans designed to ensnare new devices. Botnets can even be hired to bombard a website with traffic to artificially inflate a site's visitor rate.

Analysing the economic impact

Historically, botnets targeted online financial institutions as that's where the money is at. Today, currencies have spread to all corners of the internet, making every business a target.

Business intelligence is one crucial, but previously overlooked area for organisations. Now, firms are finding more utility in analytics tools than ever before and certainly rely on such insights to remain competitive.

Botnets armed with an array of weaponry are wreaking havoc with such data, rendering much of it meaningless and causing harmful economic repercussions.

Web-scraping bots can copy copyrighted or trademarked data and reuse it on other websites. Two versions of the content diminish your site's search authority, negatively affecting SEO rankings.

Disrupted denial-of-service (DDoS) attacks can disrupt applications and networks, making them unavailable and creating false leads which affect traffic metrics. Poor marketing decisions may be made as a result.

Advertising fraud occurs when bots click on advertisements. Consequently, data reported to the advertisers is skewed, costing money for non-human clicks leading to no additional revenue.

Customer trust can deteriorate as inboxes are filled with unwanted mail, fake social accounts relentlessly pushing biased views, and controversy is stirred through comments and vote-rigging. Frustrated customers are usually not long-term customers.

Whether in the form of an unresponsive website, traffic being redirected to a competitor, sales chasing false leads or paying for more ad clicks, botnets cause a failure in business intelligence that directly correlates with a negative economic impact on the organisation.

Where did they come from?

It's unsurprisingly difficult to pinpoint the moment where botnets became a reality, but Sub7 and Pretty Park, a Trojan and a worm, are seen as malware that helped to fuel the rise of the botnet.

They were spotted just before the turn of the millennium and introduced the concept of an infected machine connecting to an internet relay chat (IRC) channel to listen for malicious commands. 

One of the next significant moments in the botnet timeline was the emergence of the Global Threat bot, otherwise known as GTbot, in 2000. This was a new breed of botnet, capable of running custom scripts in response to IRC events. It also had access to raw TCP (transmission control protocol) and UDP (user datagram protocol) sockets, so it was perfect for simple denial of service (DDoS) attacks.

Another significant development came in 2002 when Agobot emerged. This introduced the concept of a staged attack, with payloads delivered sequentially. An initial attack would install a back door, the second would try to take out antivirus software and the third blocked access to security vendor websites.

Bredolab, one of the largest botnets ever recorded, emerged in 2009 with an estimated 30 million bots under its control. A network of this size was capable of sending out 3.6 billion malicious spam emails every day.

Then, in 2016, we saw the rise of Mirai, a notorious botnet that's widely believed to have been behind the attack on the Dyn network in October of that year, which saw Spotify, Netflix, Amazon and others taken offline. Since then the botnet has evolved; in March 2019, for example, a new Mirai variant that targeted vulnerable business devices was uncovered. 

Getting social

Hackers have been forced to evolve the way they build botnets over the years, most notably in the early 2000s when a shift was made from IRC communications to peer-to-peer.

IRC communication had proved highly effective, however, security researchers soon found they could simply blacklist the IRC command and control (C&C) to kill off the botnet.

Hackers, being the savvy denizens of the virtual world that they are, looked to P2P networks instead to decentralise the command and control infrastructure. In the case of the Waledac botnet, zombie machines were used to provide a P2P network that effectively hid the key servers. This effectively made it near impossible to disrupt their operations.

New functionality

As botnets evolved, so did their ability to disrupt. The Cutwail botnet, active in 2007, introduced further camouflaging techniques and has made a significant mark in the growth of the botnet industry.

Cutwail included the concept of backup connections, allowing each bot to cryptographically generate alternative hostnames for their command and control servers on a daily basis.

The Conficker botnet, which appeared in 2008, adopted a similar technique and was capable of generating 50,000 alternative names every day.

Continual developments such as these have helped cyber criminals conceal their botnet activity, leaving law enforcement at a loss.

Taking on the criminals

It has not been a completely easy ride for cyber criminals, however, and there have been some major busts in recent times.

The McColo takedown in 2008 was one of the most famous. The hosting firm was taken offline after a Washington Post reporter contacted two of the company's internet service providers to warn them of malicious activity going through McColo servers.

The provider was found to be hosting command and control servers for a number of big-time botnets, including both Rustock and Cutwail.

When McColo was pulled off the internet that November, a global drop in spam levels of almost 80% was reported. However, spam would soon return to its previous prominence soon enough.

More recently, following an investigation by the FBI, the mastermind by the Kelihos botnet was arrested in 2017 while holidaying in Spain. Russian hacker Peter Levashov was thought to have orchestrated the activities of as many as 300,000 enthralled computers.

The dismantling of the network was only made possible thanks to fresh powers granted to the FBI allowing it to remotely access computers that it's unable to physically confiscate.

Perhaps the largest botnet takedown took place in December 2017, when the two-million strong Andromeda army was silenced by a joint task force comprising agents from the FBI, Europol's European Crime Centre, Eurojust, the Joint Cybercrime Action Task Force, as well as representatives from private organisations such as Microsoft.

The Andromeda botnet was thought to have involved in the propagation of at least 80 different families of malware with a global reach, making it one of the most complex takedown operations in recent times.

How do you protect yourself?

The most important, and perhaps obvious step all users should take is making sure they have the latest security software installed on a PC or network. Most security vendors today have some sort of built-in malware detection and removal tools as standard and should be switched on at all times.

But basic security hygiene is also highly recommended. Always be vigilant to emails that are from outside your organisation or from those you don't know, particularly if they arrive with attachments. This is a favoured way to spread Trojans and it's possible your system won't pick up on the infection.

It's also highly recommended that you keep all your devices updated with the latest security patches. These are significantly more important than new feature patches, as they tend to plug system holes that are either being actively exploited by hackers or are likely to be in the near future.

Generally, botnets favour those targets that are easy to reach, and quick to infect, and even basic security measures are usually enough to thwart an attack.

Like most forms of cyber crime, however, bringing an end to botnets is inconceivable.The real task is to simply try to come out victorious in each battle, all the while accepting the fact that the war can never be won.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now


Trend Micro home network security flaws could let hackers take over PCs

Trend Micro home network security flaws could let hackers take over PCs

26 May 2021
Ransomware criminals look to other hackers to provide them with network access

Ransomware criminals look to other hackers to provide them with network access

17 Jun 2021
CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021
Four in five ransomware victims suffer repeat attacks

Four in five ransomware victims suffer repeat attacks

16 Jun 2021

Most Popular

How to find RAM speed, size and type

How to find RAM speed, size and type

16 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021