What Is a Botnet?

What Are Botnets Used For?

Botnets are used in various types of attacks that benefit in some way from the use of a large number of remotely operated endpoint devices. Some examples of common kinds of botnet attacks are:

• Distributed denial of service: In a DDoS attack, attackers send traffic from many devices at once to overwhelm the processing or bandwidth capabilities of target servers or infrastructure and prevent normal service delivery.
• Phishing and other email fraud: Botnets can send large volumes of spam or phishing messages from different accounts and IP addresses as part of credential phishing attempts, financial scams, malware campaigns, and more.
• Cryptocurrency mining: Using the collective processing power of a botnet in conjunction with cryptomining malware, an attacker can mine digital currency without device owners’ knowledge or consent (a.k.a. cryptojacking).
• Brute force attacks: Botnets can rapidly perform successive login attempts to access victims’ online accounts, or use credentials exposed in leaks to quickly attempt credential stuffing attacks on multiple websites at once.
• Proxy-based obfuscation: Attackers can turn botnet devices into forward proxies to redirect malicious traffic while hiding their identity and location. They may even sell proxy access to other attackers via the dark web.
• Trojans, keylogging, and packet sniffing: Botnet malware can be used to monitor and log data the bot sends and receives as well as to capture information users enter into their devices, such as login credentials.

How Do Botnets Work?

Botnets begin with botnet malware, distributed like other types of malware through methods such as phishing emails or vulnerability exploits, that turns infected devices into “bots.” These bots then communicate with a hacker-controlled central server called a command and control (C2 or C&C) server, which the hacker uses to issue instructions to the bots.

Besides instructing the bots to perform various attacks, the C2 server can issue updates to the malicious software to improve or alter the botnet’s functions and capabilities, making it more difficult to detect and defend against. On top of that, a single botnet can consist of hundreds or even many thousands of widely distributed devices, the owners of which may never know their devices are part of a botnet.

How Do Botnets Evade Detection?

Botnet malware is engineered to escape notice by operating covertly in the background with advanced techniques such as the use of polymorphic code, domain generation algorithms (DGAs), and encryption. These methods enable the malware to change its appearance and alter or hide its communication pathways, making it difficult for conventional cybersecurity measures, such as signature-based antivirus or traditional network security hardware, to detect, intercept, or analyze malicious traffic linked to botnet operations.

How Are Botnets Controlled?

Botnet operators (sometimes called bot herders) can control bot devices in two main ways:

• Centralized control, wherein the C2 server sends instructions to each bot, which do not communicate directly with one another
• Decentralized or peer-to-peer control, wherein the C2 server sends instructions to just one bot, which in turn communicates with the other bots

Centralized botnets are easier to set up than P2P botnets, but they’re also easier to shut down, as hunters can simply locate and disable the central server. Conversely, P2P botnets have considerably higher overhead but are more difficult to shut down, as it’s far more difficult to locate the C2 server among all the intercommunicating devices.

What Types of Devices Can Be Affected?

Practically any internet-connected device can become part of a botnet as long as an attacker can get malware running on it. These devices include:

• Computers, smartphones, and other mobile devices running all common operating systems
• Servers, routers, and other network hardware that can further facilitate the spread of attacks
• Internet of things (IoT) and operational technology (OT) devices, which often lack robust security and, in the case of traditionally “air-gapped” OT systems, were not designed with hyperconnectivity in mind. By exploiting vulnerabilities in IoT devices, attackers can assemble massive botnets capable of launching powerful DDoS attacks.

Examples of Botnet Attacks

The use of botnets remains popular in widespread cyberattacks because of how difficult it can be to definitively shut them down. Here’s a look at some high-profile botnets that have been active in the last several years:

1. Mirai uses brute force techniques and remote code execution to infect IoT devices with botnet malware. One of the most prolific IoT malware families for years, Mirai waged what was the largest DDoS attack in history in 2016.
2. Gafgyt and its variants infect Linux systems to launch DDoS attacks, having infected millions of IoT devices since 2014. Gafgyt-affiliated botnets have been responsible for DDoS attacks up to 400 Gbps in intensity.
3. BotenaGo uses some of the same techniques as Mirai, including brute-force authentication, to infect routers and IoT devices. Written in the open source Go language and available on GitHub, any would-be attacker can modify or release it.
4. Mozi, discovered in 2019, primarily exploits IoT devices with weak or default login credentials and infects them with botnet malware. Mozi was responsible for more than 5% of IoT malware in the first half of 2023.
5. VPNFilter targets routers and storage devices, specializing in targeting ICS/SCADA devices. Allegedly the creation of the Russian cyber espionage group Fancy Bear, it can exfiltrate data, brick devices, and persist through router reboots.

How to Protect Your Organization Against Botnets

With their vast global reach, advanced evasion tactics, encrypted communications, botnet attacks remain a pervasive, accessible threat—especially as open source variants proliferate and the mass of vulnerable targets continues to grow. To keep your organization’s devices safe, your security must be able to consistently detect and mitigate botnet activity.

Zscaler Internet Access™ (ZIA™) is a cloud native security service edge (SSE) solution. Offered as a scalable SaaS platform through the world’s largest security cloud, it replaces legacy network security solutions, preventing advanced attacks and data loss with a comprehensive zero trust approach. ZIA enables you to detect botnet and C2 activity and effectively stop botnets with:

• Intrusion Prevention System (IPS): Get complete protection against botnets, advanced threats, and zero day threats alongside contextual user, app, and threat intelligence.
• Advanced Threat Protection (ATP): Leverage built-in protection against botnets, command-and-control traffic, risky P2P sharing, malicious active content, cross-site scripting, fraud sites, and more.

Zscaler Zero Trust SD-WAN securely brokers your IoT device traffic from branches to private apps and the internet through the Zscaler Zero Trust Exchange™, which restricts the lateral movement of IoT-based malware and controls communication with C2 servers.

Zscaler IoT Device Visibility provides a complete view of all IoT devices, servers, and unmanaged user devices across your organization without requiring endpoint agents.