Threat Intelligence

    What Is a Botnet? 

    Botnets are networks of innocent devices that have been hijacked by cyberattackers to use in scaling up their exploits. Learn how to keep them at bay.

    by Mercedes Cardona

    Key Points

    • Botnets allow attackers to take over the devices of unsuspecting users to carry out cybercrimes. 
    • Botnets run in the background to stay unnoticed, but some performance issues can tip off users. 
    • Awareness training, virus protection, and software updates all help to prevent botnets.
    • The latest security tools also enable detection using behavioral analytics.

    Bots are everywhere these days; they handle a lot of the grunt work of the digital world. For instance, many companies use chatbots to handle simple customer service requests. 

    But bots have a malicious side as well: Botnets. These are networks of computers infected with malware that allows fraudsters to use them for their dirty work. And botnet attacks are on the rise. In the U.S. ecommerce sector alone, 40% of retailers said they saw more bot attacks in 2021, as more shoppers switched to online and mobile transactions.[1]

    Mimecast can help companies minimize this risk by securing email, one of attackers’ primary vehicles for planting botnet malware in companies’ devices and networks.

    What Is a Botnet Attack? 

    In a botnet attack, a “bot herder” infects a number of machines with malware that takes control of the devices. Users are unaware that their machines have been hijacked. That’s because the botnet malware is often delivered via a phishing email or a software vulnerability that opens a back door, and then it runs in the background, where it won’t be noticed. The attackers send commands to the infected machines to do their bidding, creating a network of zombie machines that can crash a website, harvest cryptocurrency, or serve endless amounts of spam.

    Botnets can include all kinds of networked devices, from computers and servers to mobile devices and even networked appliances. One early botnet attack infected WiFi-enabled refrigerators.[2]

    How Do Botnets Work?

    Botnet attacks follow a common cycle: Malicious actors will spot a vulnerability, use it to infect devices with malware that lets them take control, and once enough machines have been infected, send commands to launch attacks. 

    Botnet architectures fall into one of two models: command-and-control (C&C) or peer-to-peer (P2P) architecture. In the C&C architecture, the bot herder sends messages from a central server to the infected machines to trigger their attacks. As defenders (including law enforcement) have increasingly worked to backtrack those messages to the servers and find cybercriminals, fraudsters have pivoted to using the P2P architecture more frequently. P2P botnets rely on infected devices scanning for other infected devices and websites and then sharing their commands to trigger new attacks, so there is no central command point for defenders to find. 

    Types of Botnet Attacks

    Like most varieties of cybercrime, the use of botnets is only limited by the imagination of the fraudsters. The Internet of Things (IoT) has been a boon for attackers, who are finding new zombie converts among the millions of IoT devices coming online with minimal security, if any at all. 

    Botnets can facilitate all kinds of cybercriminal activity: 

    • Brute-force attacks: Guessing passwords is a crude way to break into a network, but with a botnet of machines trying several possibilities at a time, a scammer can keep trying repeatedly and get around defenses that lock an account after a number of failed tries.
    • Denial of Service (DoS): This technique is used by hacktivists and state-sponsored actors to shut down the websites of their opponents. It may also be used in ransomware attacks to extort organizations in exchange for letting internet traffic flow again. Botnets serve as a tool for distributed denial of service (DDoS) attacks where the attackers overwhelm the target with traffic from many sources, making it more difficult to stop them. 
    • Cryptomining: Using a computer to run the calculations to mine for cryptocurrency is not criminal per se, but it consumes lots of electrical and computing power. Some fraudsters will engage in “cryptojacking” and commandeer others’ devices to do their mining — at scale — avoiding the costs of legitimate mining.
    • Pay-per-click fraud: Online advertising depends on eyeballs, and advertisers will pay websites based on how many visitors clicked on their ads. Scammers will sometimes set up botnets to pose as legitimate web traffic and click on ads to drain the ad budget of a competitor or to channel advertising payments to a fraudulent website.
    • Spambots: Spam is not a cybercrime, but turning the devices of unsuspecting users into spam servers is a violation of several federal and state laws. Unscrupulous operators will create botnets that use legitimate users’ addresses to send reams of spam and get around junk filters. 

    Botnet Attack Examples

    EarthLink Spammer is considered by many experts as the first big botnet attack, spotted by defenders in 2000. Its spambot generated billions of spam messages before the internet service provider EarthLink sued to stop the attack.[3]

    Botnets have evolved in sophistication and range in the two decades since: 

    • An energy company responsible for managing Ukraine’s nuclear power plants was reportedly targeted by Russian hackers in a DDoS attack using a botnet with7.25 million devices.[4] Ukrainian security services recently brought down a bot farm that used more than 1 million bots to spread misinformation about the country’s war with Russia.[5]
    • Meris, a botnet that’s believed to include over 30,000 infected devices, has been named as the conduit for a number of massive DDoS attacks since it first surfaced in 2021.[6] Google engineers estimated that in one DDoS attack against a company’s cloud servers, Meris (“plague” in Latvian) generated traffic equal to a day’s Wikipedia activity in only 10 seconds, trying to overwhelm the network.[7]
    • RapperBot, a botnet first noticed in 2022, has been launching brute force attacks to break into servers running on the open-source Linux operating system. Experts fear the botnet is being “rented out” for use by other cybercriminals — a “botnet as a service” practice that is gaining on the Dark Web.[8]

    How to Tell if your Device Is Part of a Botnet

    Botnets thrive in obscurity, and as long as the user remains unaware, they will continue to operate in the background. But a few telltale signs can help spot a botnet infection: 

    • Programs load slowly.
    • Computers crash more frequently.
    • Internet access is slow or cuts out.
    • Pop-up ads appear constantly, even without an open browser.
    • Devices run out of memory.

    How to Protect Against Botnets

    Shutting down botnets has become more complicated now that they are increasingly set up in P2P networks. Defenders can trace a C&C botnet back to the server and get the service provider to cut it off, but there is no such recourse for P2P botnets. 

    Prevention remains the best defense, and a few best practices can help: 

    • Regular awareness training: Password hygiene and careful email handling is the first line of defense against the phishing and malware that helps botnets get a foothold. Train all users to avoid clicking on suspicious links or attachments and to protect their login credentials. Keep them updated on all new threats. 
    • Strengthen identity authentication: Stolen login credentials are a common way for fraudsters to break in and infect a network. They only need to crack one machine in the network to then move across others. Making logins more secure with multifactor authentication and stronger identity verification reduces this risk. 
    • Install antivirus protection on all devices: Even the most insignificant networked devices — webcams, routers, smart appliances — can be infected by a botnet, so they should be protected against botnet malware as carefully as laptops or workstations. 
    • Update software regularly and install all patches: Software updates often include protection against vulnerabilities that have been found since the last software release. Putting off these upgrades leaves a network open to attack. 
    • Use automated security features to avoid infection: Several security tools address the challenge posed by botnets. For example, vendors have added machine learning and artificial intelligence, applying behavioral analytics to ensure that a user is not a bot. Email filters can quarantine suspect email attachments that could carry the malware to turn devices into botnet zombies.

    The Bottom Line 

    Botnets pose a growing threat to digital environments by enabling cybercrime and harming the performance of the devices they hijack. Protecting against phishing attacks and malware is a best practice to avoid botnets. Find out more about Mimecast’s protections. 



    [1]True Cost of Fraud Study 2022,” LexisNexis Risk Solutions

    [2] “Fridge caught sending spam emails in botnet attack,” CNET

    [3] “EarthLink wins $25 million lawsuit against junk e-mailer,” Atlanta Business Chronicle

    [4] “Ukrainian Nuclear Agency Hit With ‘Unprecedented’ Cyberattack,” The National Interest

    [5] “Ukraine claims to have taken down a massive Russian bot farm,” The CyberWire

    [6] “Russian Internet Giant Yandex Wards off the Largest Botnet DDoS Attack in History,” CPO Magazine

    [7] “Google Fends Off Record-Breaking DDoS Attack,” PC Magazine 

    [8] “A fearsome new botnet is rapidly gaining momentum,” TechRadar 

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top