What is a Botnet?
A botnet is a network of Internet-connected devices, usually computers, servers, mobile phones and Internet of Things (IoT) devices, infected by malware and remotely controlled by a threat actor. This attack is often used for illicit and malicious purposes such as sending spam, click fraud and Distributed Denial-of-Service attacks.
A cyber criminal or hacker group, referred to as a bot herder, builds a botnet by finding and exploiting vulnerabilities on hacked devices in the wild. This is done by either searching for security gaps in popular software and websites or by embedding malicious links into legitimate sites that victims unknowingly click on.
The most common way that a device gets recruited into a botnet is by clicking on a fake update link in a phishing email or visiting a malicious website. Infections may also happen by stealing credentials through malware-infected ad networks or by exploiting flaws in an operating system.
Once a computer has been recruited into a botnet, it will communicate with the bot herder using one of several communication protocols. The first generation of botnets used a client-server model, in which instructions were sent to the infected device from a central source, called a command and control (C&C) server. This centralized approach has been replaced with more advanced peer-to-peer (P2P) botnets, in which instruction responsibilities are embedded within the compromised computer.
The P2P architecture eliminates the single point of failure that is found in centralized botnet models. This newer approach is less susceptible to disruption by cybersecurity vendors and law enforcement agencies.