A quick guide to botnets - what they are, how they work and the harm they can cause

botnet is a collection of devices that have been infected with a bot program which allows an attacker to control them.

Botnets can range in size from only a few hundreds to millions of infected devices. Attackers typically use the collective resources of the botnet to perform various disruptive or criminal activities, such as sending vast amounts of spam emails, distributing malware and launching Denial-of-Service attacks.

How a botnet is created

Unlike other threats, crypto-ransomware is neither subtle or hidden. Instead, it prominently displays lurid messages to call attention to itself, and explicitly uses shock and fear to pressure you into paying the ransom. 

A few so-called crypto-ransomware do not perform the encryption at all, and just use the threat of doing so to extor money. In most cases however, the threat is actually carried out.

A device can only be involuntarily roped into a botnet if an attacker can gain access to it - first, to plant the bot and subsequently to issue commands to it. Practically, this means a device that is connected to the Internet.

Desktop computers have traditionally been the most common type of device targeted for hijacking into botnets. In recent years however, as other types of devices have become Internet-connected, we've seen botnets created from devices such as:

  • IP cameras (Persirai botnet)
  • Routers (Mirai botnet)
  • Linux servers (Ebury botnet)
  • Android mobile devices (WireX botnet)

Attackers can plant bot programs on a device in many ways. One common method is to use an exploit kit hosted on a website to probe every site visitor's device for an exploitable flaw; if one is found, the kit silently downloads and installs the bot.

Other popular ways include distributing the bot as a file attached to spam emails, or as part of the payload of another harmful program.

Devices that have been infected by a bot are sometimes themselves called bots, or more rarely, zombies.

Commanding the bots

Once the bot program is installed, it will usually try to contact a remote website or server where it can retrieve instructions. This site or server is known as the command-and-control or C&C server.

The attacker controlling the botnet via its C&C server can be referred to as its botherderbotmasteroperator or controller. This can be either the person responsible for establishing and maintaining the botnet itself, or simply another party that is renting control of the botnet for a time.

The botnet's operator uses a client program to send instructions to the infected devices. Commands can be issued to a single machine, or to all the devices in botnet. Depending on how sophisticated the bot program is, the device can be used to:

  • Send out emails or files
  • Collect and forward data
  • Monitor the user's actions
  • Probe other connected devices
  • Download and run other programs

What attackers can do

Botnets can impact users both directly and indirectly. The most direct impact is that an infected machine is no longer under the legitimate user's control. Most people today store highly sensitive content (such as financial or legal details) on their personal devices; such information becomes vulnerable once the device is infected.

If the device belongs to a company or government organization, losing control of it can put critical business functions or social services at risk.

More indirectly, botnets can be used by their controllers to carry out other harmful actions, such as:

  • Launching Distributed Denial of Service (DDoS) attacks on rival websites or services
  • Distributing spam emails or malware
  • Mining digital currencies

Unless they have appropriate defensive measures in place, the targets of the DDoS attacks or spam recipients may suffer significant disruptions in their normal business operations.

Botnet operators can also run them as a commercial operation, offering the collective resources of 'their' botnet to other parties as a service. This allows other criminals to carry out nefarious activities with minimal fuss.

Size matters

A botnet's potential for causing mayhem increases with size, as having more machines in the botnet gives the attackers more resources for their activities.

Botnets used to be fairly small-scale, with only a few hundreds infected machines. In the last 10 years however, it has become common to see hundreds of thousands of devices under the control of a single botnet, and million-plus sized botnets are not uncommon.

The growth in botnet size has often been attributed to the explosion in Internet users in the last 15 years, as more and more developing countries become increasingly open to the Internet.

The 2009 Conficker botnet

The botnet created by the Conficker worm (also known as Downadup) included not only personal home computers but also major corporate servers and military resources in the United States, the United Kingdom and France. The affected organizations were forced to take significant remedial actions because of security concerns.

Conficker's aggressive spread also had a disproportionately large effect on the Internet infrastructure of entire developing countries, in many cases severely disrupting businesses and home users in the affected nations.

At its height, Conficker was thought to have infected between 9 to 15 million machines worldwide, though only an estimated 4 million of those were under direct control of the botnet's operators. This made Conficker the largest known botnet in the world up until then.

Botnet takedowns

Given the wide-ranging harm they can cause, it's not surprising that law enforcement authorities and government-directed Computer Emergency Response Teams (CERTs) in many countries actively work to shut down botnets, as well as hunting down and prosecuting their operators.

On an international level, perhaps the most effective way to neuter a botnet is to find and take down the C&C server. Doing so denies the botnet operators direct control of the enslaved machines. Some of the most notable takedowns in recent years include:

Global takedowns however are major operations that require significant international cooperation. More immediately, users and administrators can quarantine any infected devices so that it is out of direct communication with the botnet operator, then disinfect them.

Once the devices have been cleaned, it is recommended that users and administrators also evaluate and harden their defenses, to prevent any chance of reinfection that might rope the devices back into the clutches of the botnet.