Botnets often make the cybersecurity headlines – but they’re far from the Skynet nightmare that you’d assume at first glance. Botnets aren’t some sort of sci-fi AI hivemind, admittedly, but they are one of the most versatile tools in a hacker’s arsenal.
Built out of anywhere from tens to millions of infected machines, botnets are constantly evolving to grow more sophisticated as their designers leverage them to carry out a wide range of effective cyberattacks.
So, what makes up a botnet? Read on and I’ll break down exactly what a botnet is, how they’re built, and explore both their legitimate and illegitimate uses.
Botnet basics
A “botnet” refers to a robot network, a collection of devices that have been infected with malware and are all under the control of a single entity. The individual hacker responsible for maintaining the botnet is commonly known as a “botmaster” or “bot herder”, but control over how a botnet is used can be shared among multiple members of a hacker group.
The infected devices are referred to as “bots”, which are linked together via a control channel that the botmaster can use to send commands to force the compromised machines to execute coordinated tasks.
There are plenty of different ways for a botmaster to communicate with the bots, but it’s generically referred to as “command and control”.
Building botnets allows hackers to access large amounts of distributed processing power and bandwidth
Botnets are useful to hackers because building one allows them to access large amounts of distributed processing power and bandwidth. Hacking into a single device might give a hacker a useful host to conduct further operations from, or some credentials to conduct identity attacks, but compromising devices at scale allows for cybersecurity attacks that would otherwise be unfeasible.
While amateur botnets might only comprise a few hundred or thousand machines, the largest known botnets have infected millions of devices simultaneously.
Although botnets are mostly associated with cybercrime, they can also be employed for legitimate purposes. These uses are usually described as “distributed computing” to differentiate from the bad press around botnets, but they can be used for anything from powering distributed VPN networks to keeping your favorite multiplayer game servers alive during low-traffic hours.
How are botnets made?
The creation of a botnet involves multiple steps. I’m sidestepping the technical details of setting up the botnet infrastructure, but what’s important to know is how it propagates.
Here’s a breakdown of how botnets are typically formed:
- Targeting Victims: The botmaster chooses the vector they use to spread the trojan file that infects targeted machines. These campaigns may take the form of phishing emails, direct messages on social media, or malicious links embedded in online advertisements. These communications usually contain an attachment or link loaded with malware. The malware may also be bundled alongside free software which is distributed over an app store, or embedded in pirated software. There are even automated scanners that look for vulnerable devices and infect them without any user interaction at all – although these tend to be IoT devices with poor security that are accidentally exposed to the internet.
- Infection Process: Once the victim runs the infected file, the malware is executed. This infects the device with a trojan virus, giving the hacker complete control over the victim’s device. At this stage, the compromised device becomes a “bot”. There’s no indication to the user that this has happened, and because of this, the botmaster will often avoid performing actions that tip off the user until it’s time to perform a coordinated attack.
- Command and Control: After infection, the bot automatically begins communicating with the botmaster’s command and control server. The bot now accepts commands sent from the botmaster and is ready to carry out attacks, often without the owners ever realizing their systems have been hijacked.
What are botnets used for?
Botnets get a bad rap, but there are plenty of completely legitimate applications. Conceptually, there’s very little difference between a good botnet and a bad one. Except, of course, for the consent of the users involved.
Volunteer-led distributed computing can be used to carry out large-scale computing tasks, such as simulating the folding of proteins for cancer research.
Botnets get a bad rap, but there are plenty of completely legitimate applications
It’s not just computing, either. Activists may use voluntary botnets to amplify their messaging or conduct coordinated campaigns, such as flooding social media platforms with specific hashtags.
You’ve probably even encountered a “botnet” while playing your favorite online game, as multiplayer games often rely on simulated players to enhance your gameplay experience by filling lobbies when there aren’t enough real users.
On the other hand, illicit Uses of a botnet include:
- Harvesting data: Although it’s rarely the exclusive goal of a botnet, the trojan used to give control to a hacker usually comes equipped with keyloggers or screenshot tools. The botmaster can then extract sensitive information from infected devices including login credentials and login details which are either sold on the dark web or used as the basis for further attacks.
- DDoS attacks: Distributed Denial of Service attacks are the bread and butter of botnets. They involve overwhelming a target network service, such as a website, with a flood of traffic. The sheer bandwidth botnets offer is ideal for this task, as the combined power of hundreds of thousands of bots can knock even the most well-protected systems offline. It’s also rather difficult to block them all because the attack is coming from a wide range of devices instead of a single source.
- Spam campaigns: Botnets can aid in their own propagation by sending vast amounts of unsolicited emails, which contain phishing links or malware. These campaigns can also harvest additional victim data, such as passwords or credit card information, through social engineering.
- Vulnerability scanning: Having access to thousands of unique network addresses also allows botmasters to scan networks without attracting attention, as each individual port scan can come from a different host. These scans enable hackers to identify vulnerabilities that can be exploited for future attacks using the botnet.
- Brute force attacks: Botnets facilitate brute force attacks, such as dictionary attacks or credential stuffing, by distributing the password list used to attack online accounts across multiple bots. The large number of unique hosts available in a botnet means that an attacker can launch rapid automated attempts simultaneously without being slowed down or locked out by IP bans.
- Cryptocurrency mining: Some botmasters leverage botnets to mine cryptocurrencies like Bitcoin, Ethereum, or Monero. By harnessing the processing power of infected devices, they can generate profits at the expense of victims’ resources, including electricity and hardware lifespan.
- Botnet-as-a-service: All of these uses are attractive to cyber-criminals who might lack the skills or infrastructure to build their own botnet. There are botmasters out there who recognize this market gap and monetize their networks by renting them out. Known as “Botnet-as-a-Service,” this model allows clients to use the botnet for a variety of activities, from launching DDoS attacks to distributing malware.