cybersecurity threats

Botnet

botnet malware command-and-control iot-security
Plain English

A botnet is an army of hijacked devices. Attackers infect computers, routers, cameras, and other internet-connected devices with malware, then control them all remotely. The owners of these devices usually have no idea they are compromised. When the attacker gives the command, all the bots act at once: flooding a website with traffic, sending spam emails, or trying stolen passwords on banking sites.

Technical Definition

A botnet is a collection of internet-connected devices (bots/zombies) infected with malware and controlled by a command-and-control (C2) infrastructure operated by a threat actor (bot herder).

Botnet lifecycle:

  1. Infection: devices compromised via phishing, drive-by downloads, exploit kits, or default credentials (IoT)
  2. C2 registration: bot contacts the C2 server to register and await commands
  3. Command execution: bot herder issues instructions to some or all bots
  4. Maintenance: malware updates, anti-detection measures, lateral movement

C2 architectures:

  • Centralized: bots connect to a known server (IRC, HTTP, custom protocol). Single point of failure; takedown of C2 server disrupts the botnet.
  • Peer-to-peer (P2P): bots communicate with each other; no central server. Resilient to takedowns (GameOver Zeus, Emotet).
  • Domain Generation Algorithm (DGA): bots algorithmically generate thousands of potential C2 domain names daily. Attacker only needs to register one; defenders must block them all.
  • Fast-flux: rapidly rotating DNS records for C2 domains, using bot IPs as DNS answers

Common botnet uses:

  • DDoS attacks (volumetric, application layer)
  • Spam distribution
  • Credential stuffing and brute-force attacks
  • Cryptocurrency mining (cryptojacking)
  • Click fraud
  • Ransomware distribution
  • Data exfiltration

Notable botnets: Mirai (IoT devices, 2016), Emotet (modular banking trojan, disrupted 2021), TrickBot (enterprise targeting), Mozi (routers and DVRs).

Detecting botnet indicators 

# Check for unusual outbound connections
$ ss -tnp | grep -v "127.0.0.1" | awk '{print $5}' | \
  cut -d: -f1 | sort | uniq -c | sort -rn | head -10
# Unusual: many connections to unknown IPs on non-standard ports

# Monitor DNS queries for DGA-like patterns
$ sudo tcpdump -i eth0 port 53 -l 2>/dev/null | grep -E '[a-z]{15,}\.'
# DGA domains tend to be long random-looking strings

# Check for known IoT malware signatures
$ find / -name ".nttpd" -o -name ".t" -o -name "mirai.*" 2>/dev/null

# Review crontab for suspicious entries
$ crontab -l
$ cat /etc/crontab
$ ls -la /etc/cron.d/
In the Wild

Botnets are responsible for some of the largest cyberattacks in history. The Mirai botnet, built from IoT devices with default credentials (cameras, routers, DVRs), generated the 2016 Dyn DNS attack that disrupted much of the US internet. Modern botnets are sophisticated operations that rent out attack capacity as “DDoS-as-a-Service” on dark web marketplaces. Enterprise defense involves network monitoring for anomalous outbound traffic, DNS sinkholing of known C2 domains, endpoint detection and response (EDR), and segmenting IoT devices onto isolated VLANs. The FBI and international law enforcement regularly conduct botnet takedown operations, seizing C2 infrastructure and issuing commands to disinfect bots.

← Back to Dictionary