What is a botnet?

An in-depth look at the evolution of this highly effective method of cyber crime

Botnets came from humble beginnings, starting life as nothing more than docile systems that were designed to run repetitive tasks. The problem is, they were so good at what they did that it didn't take long for the technology to fall into the wrong hands.

Malicious botnets are essentially made up of an army of infected machines, which grows by infecting new targets, be it PCs, smartphones, tablets or Internet of Things (IoT) devices, using drive-by downloads or trojan horses. 

The earliest iterations can be traced back to before the turn of the millennium, but since they've undergone several stages of evolution, becoming ever more sophisticated and dangerous. There are an enormous amount of computers currently under botnet control across the globe, and thousands of operations remain active despite numerous successful takedowns.

But that doesn't even scratch the surface of what a botnet is, nor what it's capable of. We've rounded up you need to know about the vicious attackers that have infected millions of systems worldwide.

The workhorses of the internet

DDoS attack

Botnets are a collection of interconnected computers that support the everyday running of the internet.

They're not inherently malicious systems, and in fact perform much of the background work and repetitive tasks that are needed to deliver services online.

The problem came when someone figured out how to mobilise these types of networks against others. Since then, numerous botnets have emerged to deliver devastating yet rudimentary low-cost attacks.

The purpose of a botnet is to self-propagate, spreading to machines and infecting them with a Trojan that typically sits idle and remains hidden until activated. Once switched on, an infected system will go to work in tandem with other devices on the bot network, pooling resources into a single action.

What that action is depends on the purpose of the botnet. It's common for criminals to use the processing power of an infected machine to launch distributed denial of service (DDoS) attacks against other networks.

Yet most the of work performed by botnets is behind the scenes. They're often deployed to churn out spam emails to millions of users, usually laced with Trojans designed to ensnare new devices. Botnets can even be hired to bombard a website with traffic to artificially inflate a site's visitor rate.

Analysing the economic impact

Historically, botnets targeted online financial institutions as that's where the money is at. Today, currencies have spread to all corners of the internet, making every business a target.

Business intelligence is one crucial, but previously overlooked area for organisations. Now, firms are finding more utility in analytics tools than ever before and certainly rely on such insights to remain competitive.

Botnets armed with an array of weaponry are wreaking havoc with such data, rendering much of it meaningless and causing harmful economic repercussions.

Web-scraping bots can copy copyrighted or trademarked data and reuse it on other websites. Two versions of the content diminish your site's search authority, negatively affecting SEO rankings.

Disrupted denial-of-service (DDoS) attacks can disrupt applications and networks, making them unavailable and creating false leads which affect traffic metrics. Poor marketing decisions may be made as a result.

Advertising fraud occurs when bots click on advertisements. Consequently, data reported to the advertisers is skewed, costing money for non-human clicks leading to no additional revenue.

Customer trust can deteriorate as inboxes are filled with unwanted mail, fake social accounts relentlessly pushing biased views, and controversy is stirred through comments and vote-rigging. Frustrated customers are usually not long-term customers.

Whether in the form of an unresponsive website, traffic being redirected to a competitor, sales chasing false leads or paying for more ad clicks, botnets cause a failure in business intelligence that directly correlates with a negative economic impact on the organisation.

Where did they come from?

It's unsurprisingly difficult to pinpoint the moment where botnets became a reality, but Sub7 and Pretty Park, a Trojan and a worm, are seen as malware that helped to fuel the rise of the botnet.

They were spotted just before the turn of the millennium and introduced the concept of an infected machine connecting to an internet relay chat (IRC) channel to listen for malicious commands. 

One of the next significant moments in the botnet timeline was the emergence of the Global Threat bot, otherwise known as GTbot, in 2000. This was a new breed of botnet, capable of running custom scripts in response to IRC events. It also had access to raw TCP (transmission control protocol) and UDP (user datagram protocol) sockets, so it was perfect for simple denial of service (DDoS) attacks.

Another significant development came in 2002 when Agobot emerged. This introduced the concept of a staged attack, with payloads delivered sequentially. An initial attack would install a back door, the second would try to take out antivirus software and the third blocked access to security vendor websites.

Bredolab, one of the largest botnets ever recorded, emerged in 2009 with an estimated 30 million bots under its control. A network of this size was capable of sending out 3.6 billion malicious spam emails every day.

Then, in 2016, we saw the rise of Mirai, a notorious botnet that's widely believed to have been behind the attack on the Dyn network in October of that year, which saw Spotify, Netflix, Amazon and others taken offline. Since then the botnet has evolved; in March 2019, for example, a new Mirai variant that targeted vulnerable business devices was uncovered. 

Getting social

Hackers have been forced to evolve the way they build botnets over the years, most notably in the early 2000s when a shift was made from IRC communications to peer-to-peer.

IRC communication had proved highly effective, however, security researchers soon found they could simply blacklist the IRC command and control (C&C) to kill off the botnet.

Hackers, being the savvy denizens of the virtual world that they are, looked to P2P networks instead to decentralise the command and control infrastructure. In the case of the Waledac botnet, zombie machines were used to provide a P2P network that effectively hid the key servers. This effectively made it near impossible to disrupt their operations.

New functionality

As botnets evolved, so did their ability to disrupt. The Cutwail botnet, active in 2007, introduced further camouflaging techniques and has made a significant mark in the growth of the botnet industry.

Cutwail included the concept of backup connections, allowing each bot to cryptographically generate alternative hostnames for their command and control servers on a daily basis.

The Conficker botnet, which appeared in 2008, adopted a similar technique and was capable of generating 50,000 alternative names every day.

Continual developments such as these have helped cyber criminals conceal their botnet activity, leaving law enforcement at a loss.

Taking on the criminals

It has not been a completely easy ride for cyber criminals, however, and there have been some major busts in recent times.

The McColo takedown in 2008 was one of the most famous. The hosting firm was taken offline after a Washington Post reporter contacted two of the company's internet service providers to warn them of malicious activity going through McColo servers.

The provider was found to be hosting command and control servers for a number of big-time botnets, including both Rustock and Cutwail.

When McColo was pulled off the internet that November, a global drop in spam levels of almost 80% was reported. However, spam would soon return to its previous prominence soon enough.

More recently, following an investigation by the FBI, the mastermind by the Kelihos botnet was arrested in 2017 while holidaying in Spain. Russian hacker Peter Levashov was thought to have orchestrated the activities of as many as 300,000 enthralled computers.

The dismantling of the network was only made possible thanks to fresh powers granted to the FBI allowing it to remotely access computers that it's unable to physically confiscate.

Perhaps the largest botnet takedown took place in December 2017, when the two-million strong Andromeda army was silenced by a joint task force comprising agents from the FBI, Europol's European Crime Centre, Eurojust, the Joint Cybercrime Action Task Force, as well as representatives from private organisations such as Microsoft.

The Andromeda botnet was thought to have involved in the propagation of at least 80 different families of malware with a global reach, making it one of the most complex takedown operations in recent times.

How do you protect yourself?

The most important, and perhaps obvious step all users should take is making sure they have the latest security software installed on a PC or network. Most security vendors today have some sort of built-in malware detection and removal tools as standard and should be switched on at all times.

But basic security hygiene is also highly recommended. Always be vigilant to emails that are from outside your organisation or from those you don't know, particularly if they arrive with attachments. This is a favoured way to spread Trojans and it's possible your system won't pick up on the infection.

It's also highly recommended that you keep all your devices updated with the latest security patches. These are significantly more important than new feature patches, as they tend to plug system holes that are either being actively exploited by hackers or are likely to be in the near future.

Generally, botnets favour those targets that are easy to reach, and quick to infect, and even basic security measures are usually enough to thwart an attack.

Like most forms of cyber crime, however, bringing an end to botnets is inconceivable.The real task is to simply try to come out victorious in each battle, all the while accepting the fact that the war can never be won.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now


How to encrypt files and folders in Windows 10

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021
Fujitsu taps Trend Micro to secure private 5G networks in smart factories

Fujitsu taps Trend Micro to secure private 5G networks in smart factories

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021