What are botnets?

What are botnets

Continuous monitoring by cybersecurity firms like RiskXchange highlights vulnerabilities that hackers could exploit to prevent a botnet attack.    

What are botnets?

In short, a botnet is a group of internet-connected devices (IoT) that are infected by malware and used for cyberattacks by cybercriminals. They tend to be under the control of one attacking party, the “bot-herder.” Each machine under the control of the bot-herder is known as a bot. From a central point, cyberattackers are able to command every single computer on the botnet to carry out a coordinated attack. 

A botnet (basically, millions of compromised bots) will allow a cybercriminal to perform large-scale actions that are almost impossible with malware. As botnets are controlled remotely, infected machines can become extremely unpredictable and receive updates on a whim. As a result, bot-herders can rent access to segments of their botnet for significant financial gain. 

What are botnets used for? 

Botnets work in a variety of ways, but the most common attacks include: 

Email scams

Spam botnets are primarily used for sending out spam messages, often including malware, in large numbers from each bot. For example, the Cutwail botnet, founded in 2007, is a botnet mostly involved in sending spam emails. It affects computers running Microsoft Windows. The bot is typically installed on infected machines by a Trojan component called Pushdo.   


Phishing campaigns imitate trusted organisations and people with the aim of tricking them out of private information. This tends to appear in the guise of spam campaigns meant to steal user account information, logins, or email credentials. Learn how to spot phishing attempts.

Distributed Denial-of-Service (DDoS) attacks

DDoS attacks can leverage the botnet to overload a target server or network with requests, rendering it inaccessible to intended users. DDoS attacks target organisations for political or personal motives or to extort money in exchange for stopping the attack. 

Financial theft

Botnets can be designed for the direct theft of funds from enterprises or to obtain credit card information. The ZeuS botnet was responsible for attacks worth millions of dollars stolen directly from multiple enterprises. The original code has been retired, but new generations of ZeuS trojans are still active today. 

Brute force attacks

These attacks run programs to breach web accounts by force. Credential stuffing and dictionary attacks are used to exploit weak user passwords and access data. 

Information theft

Smaller botnets can carry out target intrusions designed to compromise high-value systems of organisations from which attackers can penetrate further into the network. These intrusions can be extremely dangerous as attackers specifically target the organisation’s most valuable assets, including financial data, intellectual property, research and development, and customer information. 

How do botnets work? 

Botnets are designed to increase, automate, and speed up a cyberattacker’s ability to carry out large-scale attacks. Hackers can only carry out a certain number of actions on their local devices. But with very little cost or time invested, they can acquire more machines to leverage far more efficient operations. 

A bot-herder can then lead a group of hijacked devices with remote commands. Once they’ve secured the bots, a herder uses command programming to drive their next actions. Bots then refer to each malware-infected user device that’s been taken over for use in the botnet. These devices operate under commands designed by the bot-herder. 

So, what are botnets all about? Let’s take a closer look at the three basic stages of building a botnet: 

  • Prep and expose – the attacker exploits a vulnerability to expose users to malware. 
  • Infect – user devices are infected with malware so that the device can be controlled.  
  • Activate cyberattackers mobilise infected devices to carry out attacks. 

Botnets are a top cybersecurity concern 

Botnets are created once the bot-herder sends the bot (or internet program) from his control servers and command to an unknown recipient using email, file sharing, social media application protocols or other bots as an intermediary. Once the recipient opens the malicious file, the bot reports back to control and the bot-herder can dictate commands to infected computers. The ferocity of these attacks has become a big concern. 

Why do you have to know what are botnets and how they are used? There are a number of unique traits that make both botnets and bots well suited for long-term intrusions. Bots can be updated by the bot-herder to change their entire functionality. They can also utilise other infected computers on the botnet as communication channels, providing the bot-herder with an infinite number of pathways to infiltrate. This just goes to show that infection is the most important step, whereas communication methods and functionality can always be changed later down the line. 

Botnets are one of the top cybersecurity concerns to governments, businesses, and individuals. Botnets are centrally coordinated applications that leverage networks to gain power and resilience. Computers become under the control of a remote bot-herder while a botnet is like having a malicious hacker inside your network. Very hard to pinpoint and even more difficult to stop them. 

What are botnets taking control over? 

Any device with an internet connection can become a candidate for botnet recruitment. Most of the devices we use today have some form of computer built within them, even those you wouldn’t expect. Nearly any computer-based internet device is vulnerable so it’s important to protect yourself against botnets. What that in mind, let’s take a look at some common devices that have been part of a botnet attack: 

Traditional computers – laptops and desktops that run on macOS or Windows OS are popular targets for botnet construction. 

Mobile devices – tablets and smartphones have notably been botnet attack examples in the past.  

Internet infrastructure hardware – hardware used to enable and support internet connections can also be co-opted into botnets. Web servers and network routers are known to be targets. 

Internet of Things (IoT) devices - any connected devices that share data between each other via the internet are at risk. Alongside mobile devices and computers, there are also smart home devices, in-vehicle infotainment (IVI) and wearable devices.  

All the above-mentioned devices can easily be corrupted to create massive botnets.  

How do hackers control a botnet? 

Issuing commands and anonymity are key when controlling a botnet. Therefore, botnets are operated via remote programming. Command-and-control (C&C) is the main server source of all botnet leadership and instruction. This is the bot-herder’s main server and each of the bots receive commands from it.  

Each botnet can be led by commands either directly or indirectly from either centralised client-server models or decentralised peer-to-peer (P2P) models. Centralised models are driven by one bot-herder server while decentralised models embed the instruction responsibilities across all the bots or zombie computers. 

Ways to protect yourself from botnets 

In today’s digital age, it’s imperative that you protect both yourself and your organisation against botnet malware. Small changes to your computer habits or even basic software protections can help a great deal. Let’s take a closer look at the top five tips for protecting yourself against botnets:  

Improve all user passwords

Change the passwords for smart devices, make them more complicated. Using complex passwords will help your devices stay safer and make it more difficult for them to be hijacked.  

Avoid buying devices with weak security

Beware of cheap smart home gadgets that tend to prioritise convenience over security. Conduct some basic due diligence online before purchasing a product to make sure that what you’re buying will keep you safe and secure.  

Update admin settings and passwords

Updating passwords and admin settings on all your devices will give you peace of mind over your security. Triple check all privacy and security options on any device that connects to another or to the internet.  

Never click links or open email attachments

Exercising extra care when clicking through on links in emails, opening attachments, or downloading software. This is particularly important when the email is from an unfamiliar person or company.   

Install effective anti-virus software

As with many cyber threats, you can help protect yourself from a cyber attack by employing a robust antivirus solution. Better still, good antivirus software will provide regular updates to keep in step with the evolving methods used by cybercriminals.   

RiskXchange and a botnet attack 

RiskXchange can help guide any organisation’s internal security team to ensure the cybersecurity posture of your business and that of all your vendors are continuously monitored and healthy. Continuous monitoring highlights vulnerabilities that hackers could exploit such as misconfigured software, insecure ports, unpatched systems, and botnet malware.    

With full visibility over your eco-system’s entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. And, by using cybersecurity ratings as a third-party risk management program, security teams can move beyond point-in-time snapshots and automatically and continuously assess an entire cybersecurity posture.  

What are botnets? Get in touch with RiskXchange to find out more about botnets and how to stop them.