What Is a Botnet?
A botnet is a collection of internet-connected devices—most commonly PCs, servers, and smart IoT (Internet of Things) devices—infected with malware that is controlled remotely by cybercriminals. The threat actors use the bots to perform automated tasks that remain hidden from the device users. Bots are used to harvest keystrokes and passwords, divert web traffic to fraudulent online advertisements, launch distributed denial of service (DDoS) attacks, generate spam, and more.
Attackers plant bot programs on a target device through techniques like web downloads, exploit kits hosted on websites, popup ads, and email attachments. Once the device is infected, it will look for a website or server that can deliver instructions to it, known as a command and control (C&C) server. Alternatively, it may communicate with the C&C server via a P2P network.
Once the bot program receives its commands from a C&C server, it will initiate any desired malicious activity or cyber attack. These instructions are typically in the form of text, so a naive device user might not even know that his or her system has become part of a botnet.
Law enforcement and security vendors have traditionally targeted bots by identifying the C&C server, finding the communications protocol being used, and shutting down that website or server. However, as bot malware has evolved and communication has become more decentralized, takedown efforts have shifted away from C&C servers and towards individual bots. This makes it harder for attackers to control a larger botnet and re-establish their command center once they are taken down.