Our Blog

The latest news about Internet security and privacy.

What are Botnets and How Do Cybercriminals Deploy Them?

Posted by BulletVPN on 26 11 2019.

Internet bots are software applications made to do simple and repetitive tasks efficiently. By having these automated systems in place, we humans don’t have to do much of the tedious work in running and maintaining internet structures. Technically, bots are mostly harmless and are essential parts of the internet to keep it useful and working the way it should. However, they can also be used for destructive and malignant purposes in the hands of a cyber-criminal.

What are Botnets and How do Cybercriminals Deploy them?

What Do Botnets Do?

One of the main purposes of a bot is “web spidering.” It’s where they search the internet and analyze hundreds of millions of files on different servers across the world. These bots are a big reason why we have good search engines like Google available to us.

Bots have other uses as well. Many servers use chatbots that can provide information and assistance to users or even perform essential administrative tasks. Bots are designed to perform their job at high speeds.

For instance, people use them in online auctions. They do have the ability to make a bid in less than a second. This gives the bidder a higher chance of acquiring the item. Well, according to how fast the process is,  they can bid at the very last moment until the auction ends.

Unfortunately, there are ways you can use this technology for many unlawful acts – through the use of botnets.

What Are Botnets?

A botnet is essentially a group of malware-infected computers that are being controlled with illegal intent. “Botnet” is a portmanteau coming from “robot” and “network,” and a device that has been infected is called a bot.

They can be programmed to accomplish malicious and illegal tasks such as stealing private data, sending spam, adding ransomware to a device, and distributed denial-of-service or DDoS (which will be discussed in depth.)

While botnets can directly impact the owner of an infected device, they can also have varying levels of visibility. There are some forms of malware that can control a device directly. On the other hand, some of them can run silently and remain unnoticed by the owner. They can come in the form of a background process, hidden from plain sight, and waiting for the “bot herder” (the attacker) to send new tasks.

A large reason why botnets pose a large threat to cyber safety and security is because they can self-propagate. In other words, they recruit new bots to bolster their numbers and increase their capacity for harm. They can do this through a variety of channels such as: using Trojan horse malware and taking advantage of system vulnerabilities or limited authentication methods. 

After they gain access to the system, each one of these infection methods will enable the attacker to install malware on their targeted device. This will allow remote control of the device, and it will now be another vector for self-propagation, recruiting different devices in its surrounding network.

Botnets Are Becoming More Commonplace

Botnets have the capability to do a lot of tasks, ranging from system disruption or even as a way of promoting different agendas. Most botnet attacks, though, exist for one thing – monetary gain.

Botnet services can now be bought online, often concealed in the recesses of the dark web, a portion of the internet that is encrypted and cannot be found through conventional search engines like Google. These services are also relatively cheap if you consider how much damage they can deal. 

Some people take advantage of this and turn it into a lucrative venture, especially in countries where the rules and regulations regarding cybersecurity are lacking. Because of this, there has been a surge of online botnet services in the past decade.

Most users pay for these services using cryptocurrency (online currency). That’s mainly due to the fact that cryptocurrency transactions are anonymous, where you can relay little to no personal information for every transaction.

An Attacker Can Use A Botnet For Many Illegal Purposes

Botnets are being implemented in electronic scams. They can also be used to infect a device with malware and other viruses that can control the system and gain access to the owner’s private information. From passwords to bank account numbers, the attacker can obtain this sensitive data, sometimes without the owner even realizing it.

One of the most prevalent methods of stealing sensitive data is called phishing, where botnets send messages that trick individuals into giving their private information. In 2015, Verizon conducted a survey regarding espionage cases done through electronic means, and 2/3 of these cases used phishing.

To respond to these rising numbers of attacks, the U.S. government is collecting phishing websites and email names to help the public avoid them. Cryptocurrency attacks are also becoming more frequent, where only last year, the amount of targeted theft regarding these digital currencies have risen significantly. 

How Do Attackers Control A Botnet?

The main feature of botnets is their capacity to receive instructions from their bot herder. This ability to relay commands and communicate with the bots that have breached a system allows attackers to alternate between different attack vectors, alter their target’s IP address, pause an attack, and many other actions. The designs of these botnets can vary, but their main structures for control commonly come in these two categories:

1. Client/Server Structure

This structure mimics the workflow of a conventional workstation, where each machine is connected to the same server (or a number of central servers) to access certain information. This enables each bot to connect to the command-and-control center (or CnC) system where they will receive their instructions.

These repositories of information will issue commands to the botnets, and the attacker can update these commands by simply modifying the source materials that each botnet has. The central system for control can either be a device of the attacker themselves, or it could be a device that’s infected by the attacker’s botnet.

This simple way of updating commands for the botnets through a small number of systems makes the client/server structure vulnerable. That’s mainly because if the command systems are disrupted, all botnets from infected devices will be removed.

Because of this, the individuals who developed botnet malware looked for ways they can improve upon this flawed system with a command server that is much less vulnerable to being disrupted. This new, improved model is called the peer-to-peer structure.

2. Peer-To-Peer Structure

This structure exists in order to circumvent the inherent vulnerabilities of the previous model, with components that use a decentralized form of peer-to-peer file sharing. By imbedding control structures for every single botnet, it eliminates the potential of a botnet system to be disrupted by disabling a single point of command.

Aside from their original purpose, peer-to-peer or P2P bots can now become command centers, relaying data by connecting with neighboring nodes.

These botnets will only send and receive information or update their own malware through a limited list of connected systems. This limits the number of systems a botnet will connect to, making it more difficult to track and mitigate them.

The lack of a central command system also has a few drawbacks. For instance, any other user who’s not the botnet’s original creator can control them. Because of this, most botnet programmers encrypt a botnet’s system in order to minimize risks of foreign control.

Can My Device Become A Part Of A Botnet System?

Most internet-capable devices that you own, such as your mobile, can be used infiltrated by botnet malware. Any IoT device (a device that can transmit data and connect to a network through wireless means) that has poor security measures has the potential to create openings for different botnets to breach into and use them to bolster their number.

IoT devices are becoming more and more commonplace, from our refrigeration units to our television sets, and these devices have the potential capacity to become vectors for botnet attacks

If the security flaw of an IoT device lies in its hardcoded firmware, then updating them and removing these flaws will prove to be difficult. In order to alleviate some of the risks, obsolete IoT devices need to be updated and remain in that state from the time after the update is installed. 

The main problem is that the manufacturers of these devices aren’t incited by outside governing bodies to give their creations ample security measures. Without any protection, these devices will remain a risk for botnet malware attacks.

How Can I Protect My Devices From These Kinds Of Attacks?

Here are a few safety measures you can employ to improve the security of your devices:

Make your passwords as secure as possible

Even with the most vulnerable technology, you can reduce their exposure to botnets as easy as customizing the administrative settings and creating your own password and username. By creating a secure password, you can reduce the risk of brutal force cracking to zero. 

For instance, a Mirai malware-infected device that is scanning different IP addresses to search for a corresponding device, and your device responds to its ping request. If you didn’t change the default administrative settings, the bot could easily access your device through its list of default usernames and passwords.

If you added a secure password, the invading bot will skip your device and look for more vulnerable ones. For more advanced systems, you can employ SSH key authentication or use two-factor authentication.

Use Credible Software to Execute Code Through Your Device

If you choose to adopt a software executing model, only applications on your whitelist will be able to run, and other software that is deemed as malicious and will be removed immediately.

The only way your device can be exploited is through a flaw in your supervisor software, such as a kernel. The security of your device hinges on the protective measures of your kernel, and sadly, most IoT devices don’t have this option available to them.

Periodically Conduct System Restores and System Wipes

Restoring your system back to a good state every so often will eliminate any accumulated botnet software. With this strategy, you can make sure that your system doesn’t have any hidden malware running in the background.

Employ Filtering Practices as Part of Your Safety Checks

A few more complex strategies you can use it to filter your firewalls and network routers. By doing so, the security of your network design is layered, as an added protective measure for any sensitive data or systems that you have.

Anything passing through the boundaries of your filters will be checked. This will increase the chances of catching any malware and their different methods for communication and propagation whenever they enter or leave your network.

If you’re using the services of a network safety provider, they will give you steps that you can follow if you find yourself being targeted by botnet malware. Nowadays, one of the most widespread forms of botnet attacks is a DoS attack.

What are DoS attacks?

A denial-of-service attack is characterized by users being barred access from their devices, information systems, and other internet sources because of a cyber-attacker. Online services such as email, online accounts, websites, and many others can be affected, essentially any service that relies on an affected network or computer,

Cybercriminals will flood their target network or host using traffic until it no longer has the capacity to respond. In worst cases, they keep doing so until it crashes. This prevents legitimate users from accessing their systems. The victims of DoS attacks will cost them both money and time to fix the assault on their system, all while their services and resources remain inaccessible for the time being.

DDoS attackers will often leverage botnets as part of their routine to carry out attacks on a large scale. These attackers will take advantage of security flaws and device vulnerabilities to control them using their command software. One this is done, attackers can command the now infected systems and use them to amplify their DoS attack.

Other attackers can also buy or hire botnets after infecting many devices. These services will allow people who aren’t well-versed in botnet control to conduct their own DDoS attacks.

The number of DDoS attacks is steadily increasing, with more devices become a part of the IoT (Internet of Things). Infected devices often remain unnoticed by their owners. Attackers will compromise thousands of these devices without gaining the attention of their owners, and finally, conduct a large-scale attack on their target. Essentially, the owners of these infected systems are becoming a part of the issue. 

How Do I Avoid Being A Part Of These Attacks?

Granted, there is no way of being completely safe from DoS attacks; you can still take these steps to reduce the chances or diminish their effects

  • Employ these services of a DoS protection provider that detects any abnormal flow of traffic and redirect it away from your system while it is filtered out.
  • Formulate a recovery plan in the event of a disaster to ensure that your network can mitigate the cause and recover much faster.
  • Install antivirus software for your system
  • Install third-party firewalls and configure its settings to restrict any oncoming and leaving traffic.

How Can I Tell An Attack is Targetting Me?

Here are some symptoms that you can look for if you think that you’re under a DoS attack. They usually resemble availability issues that are normally none-malicious:

  • Network performance is slower than normal (accessing your websites or files)
  • A website being unavailable
  • Suddenly lacking access to many websites

The best method of detecting and identifying an attack is through monitoring and analyzing your network traffic. You can do so through an instruction sensing system or a firewall. If you’re the administrator of a system, you can formulate rules within the structure. This will automatically alert you if your safety measure detects an unusual amount of traffic and begin identifying its source.

What Do I Do In The Event Of An Attack?

If you believe that your system is currently under attack, the first thing you need to do is to contact the right technical professionals and ask for assistance:

  • Call the administrator of your network because it could be just a service outage and not a DoS attack. If not, they will monitor the traffic of their network and confirm if you’re being attacked. Afterward, they will attempt to find the source and begin mitigating the attack through firewalls and DoS protective services.
  • Call your ISP and ask if they had an outage or someone is attacking their network. If an attack is happening, you might also feel some of its effects. Afterward, they will likely instruct you on the best way to solve your current issues.

Global Internet risks From Botnets

Spamhaus, an established international non-profit organization dedicated to fighting computer-related crime, shared in their last annual botnet threat report that last year’s attacks mostly used credential stealers, remote access tools (RATS), and coin miners.

Credential Stealers

Two years ago, botnets under this category were already responsible for most botnet traffic. Now, they’re on top of the list. The botnet Loki had risen as the most used botnet in 2018. It doubled in the number of unique botnet attacks in the past year.

On the other hand, there’s “Pony,” which has held the top spot two years running. Oh no, it’s not gone, it is still consistently near the top of the list 

Remote Access Tools (RATs)

Malware under this category increased significantly last year, notably because of the rise of JBifrost, a RAT that is Java-based. Two years ago, the Jbifrost was already becoming prevalent in the botnet landscape, and last year, the rise of its usage grew so much that it held the 2nd spot for the most used botnets in 2018.


The use of CoinMiners is steadily increasing since they were first seen last year. Their software stealthily mines cryptocurrencies like Monero and Bitcoin unbeknownst to their actual users. Last year, 83 botnet command servers were identified as CoinMiners. 

As a precautionary measure, we advise you to block access to mining pools access (Don’t make it as a default setting). This way, users can access them and have a choice to opt-in or remain out of it.

International Botnet Statistics

In 2018, Spamhaus had identified and put a stop to 10,263 malware-related botnet controllers that were hosted on 1,121 networks. Compared to 2017, there is a rise in the number of botnet controllers of up to 8%.

The number of botnet command servers Spamhaus’ blocklist has risen up to 67%. Many cybercriminals are now focusing on directly stealing the credentials of their victims instead of using phishing methods.

This year, the top 2 hosting countries for botnet command controllers remain the same as 2018’s, where the United States remains at the top, with Russia coming in 2nd, and the Netherlands is replaced by France in 3rd.

Last year the monthly average of new botnet command servers was 519. This year that number has nearly doubled with approximate 1000 botnet command servers. They keep popping up each month, most likely due to fraudulent sign-up scams. The month of June is the only exception of this trend, where there was a moderate decline in new botnets.

For a more detailed description of the latest botnet attacks, see Spamhaus’ latest quarterly report.

Most Prevalent Botnets Used Last Year

According to Spamhaus’ Botnet Threat Report, the following are the most prevalent Botnets of 2018:

  1. Lokibot (Credential Stealer)
  2. JBifrost (Java-based Remote Access Tool)
  3. Pony (Dropper/Credential Stealer)
  4. AZORult (Credential Stealer)
  5. Heodo/Emotet (Dropper/Backdoor)
  6. Gozi (ISFB e-banking Trojan)
  7. NanoCore (Remote Access Tool)
  8. Smoke Loader (Dropper/Backdoor)
  9. TrickBot (e-banking Trojan)
  10. RemcosRAT (Remote Access Tool)
  11. RedAlert (Android Trojan)
  12. NetWire (Remote Access Tool)
  13. AgentTesla (KeyLogger/Remote Access Tool)
  14. Chthonic (e-banking Trojan)
  15. PandaZeuS (e-banking Trojan)
  16. ImminentRat (Remote Access Tool)
  17. Neurevt (e-banking Trojan)
  18. ISRStealer (Credential Stealer)
  19. ArkeiStealer (Credential Stealer)
  20. NjRAT (Remote Access Tool)

What Are Botnets – Conclusion

With the recent rise of cybersecurity threats, we have to arm ourselves with the right resources to combat these attacks. We should also be well aware of the inherent flaws that lie in many of our internet-capable devices. 

Now you have a very good idea about what botnets are and what they’re capable of. Follow everything in this guide and keep your device safe from any possible threat. If you have further questions, you can ask our support team for assistance anytime.

Comments are closed.