What is a Botnet? | Cyberattack Technique Explained

DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.

With the recent string of high-profile attacks, ransomware has taken center stage when it comes to malware. However, that doesn’t mean that other forms and methods of cyber attacks have stopped being a threat. Some are still very actively used and dangerous, even though they might not carry the aura of infamy and notoriety they once did.

One of those is botnets, which are responsible for a whole range of different types of attacks.

So, what is a botnet? The short botnet definition would go like this: an interconnected network of malware-infected devices used to conduct cybercriminal activity.

There are multiple types of botnets, and they can be used for various purposes. Let’s take a closer look at how this pervasive form of malware functions.

How do Botnets Work?

The term botnet is derived from the words “robot” and “network.” The reason why “robot” is part of the name is that botnet attacks are automated, with computers in the botnet automatically performing issued commands. Botnets work by infecting computers and other internet-connected devices, with each afflicted device being added to the network.

The initial devices added to the botnet can be infected through any form of traditional malware planting. Hackers can do it by exploiting software vulnerabilities, email, weaknesses in cyber security, and so forth. Once a botnet collective has been formed, it has the ability to “recruit” more devices into the “robot” network.

Owners of infected devices are largely unaware that their computer is part of a botnet. This is why computers in the botnet are often referred to as the “zombie army” – they become unwitting servants to someone with nefarious plans. Instead of brains, they look for more devices to infect, though.

How are Botnet Commands Issued?

Owners of bot networks are called “bot herders” or “botmasters.” A bot herder controls the botnet remotely through command and control (C&C or C2) servers. Through a botnet server, the herder can issue commands to the network, which each affected zombie computer has to follow.

The methods of issuing commands can differ between hackers. One of the most commonly used ways in the past was through IRC channels. Once infected, devices would be forced to join a designated IRC channel automatically. The bot creator would then use that channel to send and disseminate commands, telling devices the things they need to do.

This method of sending commands through IRC channels falls into the category of centralized botnets (also referred to as client-server botnets). A centralized botnet structure functions by the bot herder sending instructions to each zombie device directly.

While easier to set up, they also make it much easier for government agencies and cybersecurity companies to determine the botnet owner. Hence, the majority of cybercriminals today favor the decentralized botnet structure.

In a decentralized, peer-to-peer botnet, the bot herder can send the command to any infected device in the network, which can number in the thousands. The initial command recipient then automatically disseminates the instructions to the rest of the botnet.

As you might assume, this way, it’s much harder for anyone to track down where the botnet commands originate from, and it’s thus more difficult to shut down the network or prosecute its creator.

One of the most well-known botnets called Zeus switched from a centralized to a decentralized model to continue its operations. Zeus or Zbot is a particularly insidious botnet that came to existence sometime during 2007.

Zeus was one of the most widespread botnets in history, with its network numbering 3.6 million bots in 2009. It was used to steal financial information from its targets while adding more devices into the botnet.

When the operations of the Zeus botnet were disrupted in 2010, it found new life under the name GameOver Zeus, switching to a decentralized botnet model instead of a centralized one. Thanks to these adaptions, Zeus and its various offshoots plague us to this day.

botnet c&c architecture

Types of Botnet Attacks

Ok, now that we’ve covered the basics of how they are created and how they work, one question remains: what are botnets used for?

Botnets are used to launch malware attacks, relying on the sheer mass of zombie computers in their ranks to overwhelm a system, crash down a network, force an application offline, or flood the internet with emails. Let’s go through some of the most notable cases for each type of attack.

Email Spam

One of the most common – and oldest – forms of botnet attack is email spam. The botnet spam attack uses thousands of zombie devices in the network to send a huge number of emails in a short amount of time. This can have multiple uses and perform different tasks – from overloading people’s inboxes to spreading malware and phishing attacks.

One of the first instances of botnet attacks that came into the public eye was the one conducted by Khan C. Smith in 2000. Using the spam botnet he built, Smith managed to send 1.25 million phishing emails.

The purpose of these emails was to attempt to snatch credit card information and other sensitive data. And he was successful, managing to snag upwards of $3 million. Until he was caught by law enforcement and sued for $25 million, that is.

Cutwail was another notorious botnet that specialized in email spam. In 2009, the Cutwail botnet was sending 51 million emails per minute, making up a whopping 46.5% of the global spam volume at the time. Besides email spam, Cutwail employed DDoS attacks. While the botnet’s activity has scaled down massively over the years, it’s still believed to be active.

DDoS Attack

Due to how botnets work (providing bot herders with an army of forced conscripts), cybercriminals behind them use the network to launch attacks that can utilize that numbers advantage. One of the attack types that stands to gain the most from this is DDoS attacks.

If you’re unfamiliar with the term, DDoS stands for Distributed Denial of Service. These attacks seek to overwhelm a server, network, or service with traffic by sending a vast number of access requests to it, leading to the target going offline and becoming unavailable for other users.

Naturally, with the power of thousands of zombie devices behind them, DDoS attacks are an ideal venue of assault for botnet owners.  A DDoS attack using a botnet tells all the machines in the network to target a particular service or site with requests, aiming to bring it down or slow it down to a crawl.

DDoS botnet attacks can also be used to blackmail and intimidate companies into submission, extorting a ransom.

One particularly nasty botnet that utilized DDoS attacks was Mirai. The botnet in question used DDoS attacks in 2016, leaving the East Coast of the US unable to access most of the internet for a time.

What made this attack special, besides its damaging consequences, was that there were many IoT devices among the 600,000 infected machines on the botnet. This was the first example of IoT devices being targeted, as cybercriminals have previously primarily focused on infecting computers.

An interesting bit of trivia about Mirai is that its original purpose wasn’t as nefarious as you’d imagine. Its creators weren’t faceless cybercriminals looking to extort money or target government websites – they were kids looking to DDoS Minecraft servers to gain an edge in the game.


After Mirai, IoT devices such as various sensors, voice-control hardware, and home security systems became prime targets for botnets. If owners of IoT devices were wondering what botnets are, they found out quickly enough. One of the popular types of attack that targeted IoT devices was bricking – wiping a device’s firmware, making it permanently unusable.

Cryptocurrency Mining

The majority of the popular cryptocurrencies today are created through a process called mining. Crypto mining uses a  computer’s CPU or GPU in order to solve complex mathematical puzzles. Malicious actors intent on getting a hold of cryptocurrencies work to infect computers and add them to a crypto mining botnet.

Through these crypto botnets, bot herders can both avoid using their own resources for mining and earn money by having access to thousands of involuntary mining rigs.

Crypto botnets have become increasingly popular in the last few years due to the unprecedented growth of the crypto sector. Additionally, thanks to the anonymity of crypto transactions, the owner of the crypto botnet can easily evade identification and prosecution.

Sysrv, a botnet first detected in December 2020, is one of the biggest crypto botnets around. Sysrv is a terrifyingly advanced botnet that primarily targets enterprise-level applications.

It can attack both Linux and Windows systems, create additional hacker bots and even hunt down and delete other crypto-mining malware. On top of that, it can scan the system in search of private keys that allow it to spread throughout the whole network. As of 2021, Sysrv is still very active.

Information and Identity Theft

Botnet owners also took part in more traditional forms of cybercrime. Bot herders would often use botnets to penetrate enterprise systems in order to steal data from the targeted company and its user base. The botnet would try to scrape personal and financial data, which would then be used or sold off for monetary gain.

Using ID theft protection is recommended to improve your anti-botnet defenses.

How to Remove a Botnet and Protect Yourself From Botnet Attacks

While botnets sound scary and they can certainly cause damage if left unchecked, computer users and companies are not defenseless. Here are the main ways in which you can protect yourself from botnet attacks.

  • Install top-class antivirus software and keep it updated.
  • Double-check before opening any suspicious-looking emails.
  • Do not download email attachments unless you’re absolutely sure what they are and the sender is legit.
  • Do not click on suspicious links.
  • Use strong passwords on your smart devices.
  • Keep your device firmware updated.

By following these tips for security, botnet malware should rarely reach you. However, cyber attackers often devise new avenues of attack, and even users that are vigilant about their cybersecurity can fall prey to botnets.

Due to their specific way of operation, owners of the infected devices are often entirely oblivious that they’re part of a botnet, making detection incredibly hard.

Leave a Comment

Scroll to Top