What Is a Botnet? Definition, How They Work & Defence

A botnet is a network of computers or devices under the control of a hacker, infected with malware, and used to carry out malicious actions.

The term botnet comes from the words “robot” and “network.” A bot is an automated computer program that can be used to infect malware, disseminate inflammatory information while posing as a human user, and steal data. Bad bots are programmed by hackers.

A botnet uses multiple internet-connected devices to infiltrate other devices and carry out scams and cyberattacks on a large scale. There are several different types of botnet attacks, and these are continuously evolving.

Botnets can control a variety of internet-connected devices. Upping cybersecurity at the user level can help to prevent botnet attacks.

What is a botnet?

A botnet is a collection of computers, internet of things (IoT) devices, smartphones, and any internet-connected devices that are infected by malware and under the control of a single party called a “bot-herder.” The bot-herder can use the botnet for malicious purposes, carrying out cyberattacks on a larger scale than a single bot is capable of doing.

Bots are not necessarily bad; they are automated computer programs that act like human users and can effectively speed up searches, aid with customer service, and direct traffic where it needs to go. Bad bots, on the other hand, contain malware, are controlled by hackers, and can be programmed to carry out cyberattacks and more.

A botnet is generally a negative thing, using multiple bad bots to infect other devices and commit large-scale attacks. The bot-herder can send one command to all of the bots under their control at once, and they can then carry out a coordinated and simultaneous attack. Cybercriminals often rent out their botnets on the black market for large profits.

How Does a Botnet Work?

Botnets are designed to increase the range, reach, and speed of hackers to carry out cyberattacks. They can grow and evolve as the bot-herder manipulates and updates them as well. Botnets use infected devices, also called zombie computers, as they mindlessly operate without the user’s knowledge and under the control of the bot-herder to carry out commands.

A botnet is typically built in three stages.

  1. Stage 1: Find and exploit a vulnerability. The hacker will look for a vulnerability within a device, either finding a software, application, or website issue or through human error. Online messages and email can be used to try and set a user up for a malware infection.
  2. Stage 2: Malware infection is deployed. Malware can be delivered by a variety of methods, including via Trojan viruses embedded in email attachments or clickbait popups. Social engineering techniques are often used by hackers to persuade users to unknowingly download malware to their device. Visiting infected sites can institute the drive-by download to deliver malware as well.
  3. Stage 3: Device is activated and attack is initiated. During this stage, the various infected machines, or bots, are organised into a network the bot-herder can control remotely. The zombie computers are then used in a larger zombie network to carry out attacks.

Once activated, a botnet can grant admin-level access to the bot-herder, allowing the ability to perform the following actions:

  • Collect personal data of the user.
  • Monitor user’s activity.
  • Read and write system data.
  • Install and run applications.
  • Send data and files.
  • Search for vulnerabilities within other devices.

What can a botnet control?

A botnet can affect any device connected to the internet or with access to an internet connection. This can include the following devices:

  • Computer desktops and laptops
  • Mobile devices like smartphones and tablets
  • Internet of things (IoT) devices, including wearable devices (smartwatches and fitness trackers), smart home devices (televisions, security cameras, thermometers, speakers, and smart plugs), and in-vehicle infotainment (IVI)
  • Internet infrastructure hardware, such as web servers and network routers 

Bot-herders can amass thousands or millions of devices (zombie computers) at a time to create a massive botnet for large scale cyber attacks.

How botnets are controlled

Botnets are controlled remotely by the bot-herder using command and control (C&C). This can be through either a centralised, or client-server model, or decentralised through the peer-to-peer (P2P) model.

Traditionally, botnets operated through Internet Relay Chat (IRC) networks, websites, and domains using the client-server model. With this model, the program will send a request and wait for a return response. Infected devices access a predetermined location and wait for the bot-herder to send the commands to the server, which are then relayed to the bots. The commands are executed, and results reported back to the bot-herder.

All commands are sent to a central server before being distributed to the bots. This centralised method can leave the bot-herder vulnerable to exposure.

Bot-herders are now commonly using the P2P model to control botnets, which is a serious threat to internet security using a decentralised method to keep their identity secret. The instruction responsibilities are embedded on to each zombie computer directly, and the bot-herder only has to contact one of the infe