What is a botnet?

An in-depth look at the evolution of this highly effective method of cyber crime

Botnet graphic

Looking back at how cyber criminals have altered their tactics over the years makes you realise how quickly the threat landscape has changed.

Botnets came from humble beginnings, starting life as nothing more than docile systems that were designed to run repetitive tasks, the ones that are required for the internet to exist. The problem is, they were so good at what they did that it didn't take long for the technology to fall into the wrong hands.

Advertisement - Article continues below

Malicious botnets are essentially made up of an army of infected machines, which grows by infecting new targets through drive-by downloads or trojan horses. Computers, phones and tablets are all vulnerable to their attacks.

The earliest iterations can be traced back to before the turn of the millennium, but since then they've undergone several stages of evolution, becoming ever more sophisticated and dangerous. There are a staggering amount of computers currently under botnet control across the globe and thousands of operations remain active despite numerous successful takedowns.

But all of that doesn't even scratch the surface of what a botnet is or what they're capable of. Here's everything you need to know about the vicious attackers that have infected millions of systems worldwide.

The workhorses of the internet

Botnets are a collection of interconnected computers that support the everyday running of the internet.

Advertisement - Article continues below

They're not inherently malicious systems, but in fact, perform much of the background work and repetitive tasks that are needed to deliver services online.

The problem came when someone figured out how to mobilise these types of networks against others. Since then, numerous botnets have emerged to deliver devastating yet rudimentary attacks, at a very low cost.

Advertisement - Article continues below

The purpose of a botnet is to self-propagate, spreading to user machines and infecting them with a Trojan that typically sits idle and remains hidden until activated. Once turned on, an infected system will go to work in tandem with other devices on the bot network, pooling resources into a single action.

What that action is depends on the purpose of the botnet. It's common for criminals to use the processing power of an infected machine to launch denial of service (DDoS) attacks against other networks.

Yet most the of work performed by botnets is behind the scenes. They're often deployed to churn out spam emails to millions of users, usually laced with Trojans designed to ensnare new devices. Botnets can even be hired to bombard a website with traffic to artificially inflate a site's visitor rate.

Analysing the economic impact

Historically, botnets targeted online financial institutions, as simply, that's where the money is. Or, where it was, at least. Today, currencies have spread to all corners of the internet, making every business a target.

Advertisement - Article continues below

Business intelligence is one crucial - but previously overlooked - area for organisations. Now, though, firms are finding more utility in analytics tools than ever before and certainly rely on such insights to remain competitive.

Botnets armed with an array of weaponry are wreaking havoc with such data, rendering much of it meaningless and causing harmful economic repercussions.

Web-scraping bots can copy copyrighted or trademarked data and reuse it on other websites. Two versions of the content diminish your site's search authority, negatively affecting SEO rankings.

Advertisement - Article continues below

Disrupted denial-of-service (DDoS) attacks can disrupt applications and networks, making them unavailable and creating false leads which affect traffic metrics. Poor marketing decisions may be made as a result.

Advertising fraud occurs when bots click on advertisements. Consequently, data reported to the advertisers is skewed, costing money for non-human clicks leading to no additional revenue.

Customer trust can deteriorate as inboxes are filled with unwanted mail, fake social accounts relentlessly pushing biased views, and controversy is stirred through comments and vote-rigging. Frustrated customers are usually not long-term customers.

Advertisement - Article continues below

Whether in the form of an unresponsive website, traffic being redirected to a competitor, sales chasing false leads, or paying for more ad clicks, botnets cause a failure in business intelligence that directly correlates with a negative economic impact on the organisation.

Where did they come from?

It's unsurprisingly difficult to pinpoint the moment where botnets became a reality, but Sub7 and Pretty Park a Trojan and a worm are seen as malware that helped initiate the rise of the botnet.

They were spotted just before the turn of the Millennium and introduced the concept of an infected machine connecting to an internet relay chat (IRC) channel to listen for malicious commands. Since they were born, hackers began to get really creative.

One of the next significant moments in the botnet timeline was the emergence in 2000 of the Global Threat bot, otherwise known as GTbot. This was a new breed of botnet, capable of running custom scripts in response to IRC events, and had access to raw TCP (transmission control protocol) and UDP (user datagram protocol) sockets, so it was perfect for simple denial of service (DDoS) attacks.

Advertisement - Article continues below

Another significant year came in 2002 when Agobot emerged. This introduced the concept of a staged attack, with payloads delivered sequentially. An initial attack would install a back door, the second would try to take out anti-virus software and the third blocked access to security vendor websites.

Advertisement - Article continues below

Bredolab, one of the largest botnets ever recorded, emerged in 2009 with an estimated 30 million bots under its control. A network of this size was capable of sending out 3.6 billion malicious spam emails every day.

Then, in 2016, we saw the rise of Mirai, a notorious botnet that's widely believed to have been behind the attack on the Dyn network in October of that year, which saw Spotify, Netflix, Amazon and others taken offline. Since then, the source code for the botnet has been distributed as open source on hacker forums.

Getting social

Hackers have been forced to evolve the way they build botnets over the years, most notably in the early 2000s when a shift was made from IRC communications to peer-to-peer.

Advertisement - Article continues below

IRC communication had proved highly effective, however, security researchers soon found they could simply blacklist the IRC command and control (C&C) to kill off the botnet.

Hackers, being the savvy denizens of the virtual world that they are, looked to P2P networks instead to decentralise the command and control infrastructure. In the case of the Waledac botnet, zombie machines were used to provide a P2P network that effectively hid the key servers. This effectively made it near impossible to disrupt their operations.

New functionality

As botnets evolved, so did their ability to disrupt. The Cutwail botnet, active in 2007, introduced further camouflaging techniques and has made a significant mark in the growth of the botnet industry.

Cutwail included the concept of backup connections, allowing each bot to cryptographically generate alternative hostnames for their command and control servers on a daily basis.

The Conficker botnet, which appeared in 2008, adopted a similar technique and was capable of generating 50,000 alternative names every day.

Advertisement - Article continues below

Continual developments such as these have helped cyber criminals conceal their botnet activity, leaving law enforcement at a loss.

Taking on the criminals

It has not been a completely easy ride for cyber criminals, however, and there have been some major busts in recent times.

Advertisement - Article continues below

The McColo takedown in 2008 was one of the most famous. The hosting firm was taken offline after a Washington Post reporter contacted two of the company's internet service providers to warn them of malicious activity going through McColo servers.

The provider was found to be hosting command and control servers for a number of big-time botnets, including both Rustock and Cutwail.

When McColo was pulled off the internet that November, a global drop in spam levels of almost 80% was reported. However, spam would soon return to its previous prominence soon enough.

More recently, following an investigation by the FBI, the mastermind by the Kelihos botnet was arrested in 2017 while holidaying in Spain. Russian hacker Peter Levashov was thought to have orchestrated the activities of as many as 300,000 enthralled computers.

Advertisement - Article continues below

The dismantling of the network was only made possible thanks to fresh powers granted to the FBI allowing it to remotely access computers that it's unable to physically confiscate.

Perhaps the largest botnet takedown took place in December 2017, when the two-million strong Andromeda army was silenced by a joint task force comprising agents from the FBI, Europol's European Crime Centre, Eurojust, the Joint Cybercrime Action Task Force, as well as representatives from private organisations such as Microsoft.

The Andromeda botnet was thought to have involved in the propagation of at least 80 different families of malware with a global reach, making it one of the most complex takedown operations in recent times.

How do you protect yourself?

The most important, and perhaps obvious step all users should take is making sure they have the latest security software installed on a PC or network. Most security vendors today have some sort of built-in malware detection and removal tools as standard and should be switched on at all times.

Advertisement - Article continues below

But basic security hygiene is also highly recommended. Always be vigilant to emails that are from outside your organisation or from those you don't know, particularly if they arrive with attachments. This is a favoured way to spread Trojans and it's possible your system won't pick up on the infection.

It's also highly recommended that you keep all your devices updated with the latest security patches. These are significantly more important than new feature patches, as they tend to plug system holes that are either being actively exploited by hackers or are likely to be in the near future.

Generally, botnets favour those targets that are easy to reach, and quick to infect, and even basic security measures are usually enough to thwart an attack.

Like most forms of cyber crime, however, bringing an end to botnets is inconceivable.The real task is to simply try to come out victorious in each battle, all the while accepting the fact that the war can never be won.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020