A botnet is a network of internet-connected devices infected with malware and controlled by a threat actor — the “bot herder.” Each infected device (called a “bot” or “zombie”) connects to command and control (C2) infrastructure, awaiting instructions. Botnets number in the thousands to millions of devices, enabling attacks at scales impossible from a single machine. They’re the backbone of modern cybercrime, enabling DDoS attacks, spam campaigns, credential stuffing, ransomware distribution, and cryptocurrency mining.
How Botnet Architecture Works
Command and Control (C2) Models
Centralized C2 — early botnets used a single IRC server or web server that all bots connected to. Simple but fragile — take down the C2, and the botnet goes dark. Law enforcement targeted C2 servers to “sinkhole” botnets.
Distributed/P2P C2 — modern botnets use peer-to-peer communication (similar to BitTorrent). Each bot knows a handful of other bots and can relay commands. There’s no single point of failure — removing one bot or server doesn’t disable the network. The Gameover ZeuS botnet used this model.
Domain Generation Algorithms (DGA) — bots use an algorithm to generate hundreds of potential domain names daily and attempt to connect to each. The bot herder registers one domain per day from the list, and bots connect to it. Defenders must predict and preemptively block thousands of potential C2 domains.
Fast Flux — the C2 domain’s DNS records change rapidly (every 3–5 minutes) pointing to different infected machines acting as proxy nodes. The real C2 infrastructure stays hidden behind a constantly shifting network of compromised machines.
Bot Propagation
Once a single machine is infected, the botnet spreads through:
- Exploit kits — malicious websites that exploit browser/plugin vulnerabilities to drive-by download the bot malware
- Spam campaigns — malicious email attachments or links distributing the dropper
- Brute-force scanning — automated scanning for SSH, RDP, or telnet with default/weak passwords (primary method for IoT botnets)
- Existing botnets — bot herders rent access to existing botnets to distribute new malware
- Malvertising — malicious ads on legitimate ad networks deliver exploit payloads
Famous Botnet Examples
Mirai (2016) — IoT Botnet That Broke the Internet
Mirai targeted Internet of Things devices — routers, IP cameras, DVRs — using a dictionary of 62 default username/password combinations. Devices running Linux with exposed Telnet were vulnerable.
At its peak, Mirai infected over 600,000 IoT devices. In September/October 2016, it was used to launch the largest DDoS attacks ever recorded at that time:
- 620 Gbps against security journalist Brian Krebs’ website (taken offline)
- ~1 Tbps against Dyn’s DNS infrastructure — effectively taking offline Twitter, Netflix, Reddit, Spotify, and many other major sites for hours
Mirai’s source code was released publicly in 2016, spawning dozens of variants that persist to this day. Lesson: default credentials on IoT devices remain a massive, unresolved security problem.
Emotet (2014–2021, and recurring)
Emotet began as a banking trojan but evolved into one of the most sophisticated malware distribution platforms in history. At its peak it operated as:
- A modular banking trojan stealing credentials
- A spam distributor that hijacked real email threads, replying with malicious content
- A dropper for other malware families (TrickBot, QakBot, Ryuk ransomware)
The “thread hijacking” technique was particularly effective — Emotet would steal email threads from infected machines and reply to them from the victim’s own address, making malicious attachments appear to come from known, trusted contacts.
Europol coordinated Emotet’s takedown in January 2021 — but variants re-emerged later in 2021 and continue to operate.
Necurs (2012–2019)
Necurs was the world’s largest spam botnet, infecting 9+ million devices and responsible for a significant fraction of global spam traffic. It distributed:
- Locky ransomware (one of 2016’s most damaging ransomware families)
- Dridex banking trojan
- Stock pump-and-dump schemes
- Pump-and-dump penny stock scams
Microsoft coordinated its takedown in March 2020, seizing the DGA domain generation infrastructure.
GameOver ZeuS (2011–2014)
A P2P variant of the ZeuS banking trojan that infected ~1 million computers. It stole banking credentials while also serving as the delivery mechanism for CryptoLocker ransomware. Estimated $100+ million in losses. Taken down in 2014 through Operation Tovar — a joint FBI/Europol/private sector effort.
What Botnets Are Used For
| Use Case | Revenue Model |
|---|---|
| DDoS attacks | Sold as “Booter” or “Stresser” services |
| Spam distribution | Sold per thousand emails sent |
| Credential stuffing | Credentials sold, or accounts sold |
| Ransomware delivery | Ransom payments |
| Cryptocurrency mining | Cryptomining revenue |
| Click fraud | Advertising payment fraud |
| Proxy services | Selling bandwidth as a residential proxy |
Residential proxy networks (marketed as legitimate “residential IP” services) often source their IPs from unwitting users whose devices are infected with proxy malware or who “opt in” via shady free VPN/software bundles.
How to Avoid Becoming Part of a Botnet
Update everything: Vulnerabilities in routers, cameras, and NAS devices are the most common IoT botnet entry points. Most owners never apply firmware updates.
Change default credentials immediately: Every IoT device comes with default username/password. Change them on first login. Check every device in your home: router, IP cameras, smart TVs, NAS, printers.
Disable unnecessary services: Disable UPnP on your router (it can expose internal services to the internet). Disable remote management unless you need it. Disable Telnet — always.
Use a network-level firewall: Pi-hole or AdGuard Home blocks known C2 domains, preventing already-infected devices from connecting to the botnet. Not a cure, but limits impact.
Scan your network: Regularly scan your home network with Nmap or run a dedicated IoT security tool. Shodan.io’s personal monitor can alert you when your home IP appears in their database.
Watch for unusual traffic: Many infected devices exhibit unusual outbound traffic patterns. A router that generates 10 MB of traffic at 3 AM when no one is home is suspicious.
Use reputable security software: Endpoint protection that monitors process behavior and network connections catches many bot malware families before they establish C2 communication.
Modern botnets are professional criminal enterprises — maintained, monetized, and sold as services. The same infected infrastructure may run DDoS attacks one month, distribute ransomware the next, and mine cryptocurrency the month after. Understanding their economics explains why they’re so persistent: the financial incentives are substantial and the barrier to entry has dramatically declined.