A botnet (a blend word from “robot” and “network”) is a network of malware-infected devices remotely controlled by cybercriminals. The user of an infected device is usually unaware of its malicious activity. However, some people connect their devices to certain botnets on purpose: that’s often true for hacktivist botnets, which usually emerge for the duration of a hacktivist campaign and then break up.
Botnets are also sometimes known as zombie armies or zombie networks. Infected devices are known as bots or zombies, and the attacker controlling a botnet is the botmaster.
Botnets can consist of any digital devices connected to the internet. Most commonly, botnets include:
- Desktop computers
- Cell phones
- IoT devices
There are two basic models for botnet organization: client-server and peer-to-peer.
In the client-server model, each device in the botnet is controlled by one or more command and control servers. If you disable these servers, the whole botnet stops working.
In the peer-to-peer (P2P) model, each device functions as both a bot and a server. All zombie network components exchange information with other network components and coordinate each other’s operation. If one or more devices fail, the botnet continues to operate as a whole.
Creation and use of botnets
To make a device part of a botnet and control it remotely, attackers infect it with malware. For that they could, for example, send e-mails with a malware attachment or a link to the malware, or exploit vulnerabilities in the device’s software. Botnet malware often automatically scans network-accessible devices for vulnerabilities and/or sends spam to them for further distribution.
Attackers typically use botnets for the following purposes:
- Conducting DDoS attacks
- Mass spamming
- Click fraud or ad impressions
- Theft of funds or sensitive data
- Distribution of illegal (often malicious) software
Cybercriminals may sell botnets or rent them out to other attackers based on the malware-as-a-service model.
The most well-known and dangerous botnets include ZeuS, Emotet, Trickbot, Mirai, and Necurs. An example of a hacktivist botnet is Low Orbit Ion Cannon, which Anonymous has used to attack Scientologists.