What is a Botnet?
A botnet is a group of internet connected devices infected with malware, allowing attackers to control them remotely. The devices can then be used to carry out a variety of malicious activities including stealing credentials, attacking online accounts, and executing distributed denial of service (DDoS) attacks.
Attackers use malware to infect devices that are connected to the internet, typically PCs, routers, servers and other devices like cameras and printers. They often exploit vulnerabilities in those devices or phish for usernames and passwords, or use drive-by download techniques to get the malware onto a device. Once the device is infected with botnet malware, it connects to a central server called a command and control (C&C) server. The C&C server sends commands to the bots and they execute them in turn.
The C&C server can communicate with the bots using a range of protocols. IRC (Internet Relay Chat) is a popular choice for the bot herder as it allows them to chat and share information with other bots while hiding the traffic from internet providers. Other popular choices include using telnet or ordinary web traffic to communicate with the bots, which can help disguise the activity. Newer botnets often fully operate over P2P (peer-to-peer) networks.
The main reason to build a botnet is for financial gain. In ad fraud botnets, the goal is to infect large numbers of devices to provide a large amount of computing power and functionality for automating the fraudulent activity. This is often invisible to the device users, who may only notice a dramatic decrease in performance or an increase in ad pop-ups and redirections to different websites and services.