What is a botnet?

A botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and internet of things devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system.


Infected devices are controlled remotely by threat actors, often cybercriminals, and are used for specific functions, so the malicious operations stay hidden to the user. Botnets are commonly used to send email spam, engage in click fraud campaigns and generate malicious traffic for distributed denial-of-service attacks.


The term botnet is derived from the words robot and network. A bot in this case is a device infected by malware, which then becomes part of a network, or net, of infected devices controlled by a single attacker or attack group.


The botnet malware typically looks for vulnerable devices across the internet, rather than targeting specific individuals, companies or industries. The objective for creating a botnet is to infect as many connected devices as possible, and to use the computing power and resources of those devices for automated tasks that generally remain hidden to the users of the devices.


How botnets work


On its own, that fraction of bandwidth taken from an individual device won't offer much to the cybercriminals running the ad fraud campaign. However, a botnet that combines millions of devices will be able to generate a massive amount of fake traffic for ad fraud, while also avoiding detection by the individuals using the devices.


Botnet architecture


Botnet infections are usually spread through malware, such as a Trojan horse. Botnet malware is typically designed to automatically scan systems and devices for common vulnerabilities that haven't been patched, in hopes of infecting as many devices as possible. Botnet malware may also scan for ineffective or outdated security products, such as firewalls or antivirus software.


Once the desired number of devices is infected, attackers can control the bots using two different approaches. The traditional client/server approach involves setting up a command-and-control (C&C) server and sending automated commands to infected botnet clients through a communications protocol, such as internet relay chat (IRC). The bots are often programmed to remain dormant and await commands from the C&C server before initiating any malicious activities.



The other approach to controlling infected bots involves a peer-to-peer network. Instead of using C&C servers, a peer-to-peer botnet relies on a decentralized approach. Infected devices may be programmed to scan for malicious websites, or even for other devices in the same botnet. The bots can then share updated commands or the latest versions of the botnet malware.

The peer-to-peer approach is more common today, as cybercriminals and hacker groups try to avoid detection by cybersecurity vendors and law enforcement agencies, which have often used C&C communications as a way to monitor for, locate and disrupt botnet operations.