What is a Botnet?
A botnet is a collection of compromised devices (zombie computers) that are controlled by one attacking party, known as the “bot herder.” The attack can be directed remotely from a single location allowing attackers to orchestrate large scale cyber attacks at a fraction of the cost.
Once infected, bots communicate with their command and control (C&C) device through communication channels based on network protocols like IRC or HTTP. These channels can be centralized through the client-server model or decentralized through the P2P, or peer-to-peer, networking model. P2P botnets are a common choice as they provide more flexibility and resilience since the C&C is not centralized and is thus less vulnerable to law enforcement action.
The C&C device communicates with each infected bot and relays instructions for the nefarious actions that the bots will carry out. These can include stealing personal information, downloading and installing malware, cryptojacking, spamming or even performing Distributed Denial of Service attacks.
To keep their botnets functional, threat actors regularly update the malware on infected systems. This helps them evade detection by traditional security solutions. It also allows the bot herder to recruit more infected machines by distributing the malicious code through already infected ones.
Bots can scout the Internet for vulnerable IoT devices, such as routers and cameras. These then get infected with Trojans and other malware to be used in the botnet. The most dangerous types of bots are polymorphic, meaning they can mutate and change their structure to avoid detection by traditional anti-malware solutions.