What is a Botnet

A botnet is a network of internet-connected devices that have been compromised by hackers without the knowledge of the legitimate owners. A botnet is able to control the computers it targets by using a malicious software, after which the computers and devices are used to perform cybercriminal activities such as Distributed Denial of Service (DDoS) attacks, spam emails, and data theft.

A botnet can also be referred to as Zombies. A botnet controller is referred to as a botherder.


A botnet is a combination of the words ‘robot’ and ‘network’. A bot is a malicious software script that is programed to give the botherders control over a computer that has the software installed in it. The infected computer with other infected devices are then organized into a network which the cybercriminal or botherder can remotely access and manage. The computers that comprise of a botnet are usually situated all over the world and could be from a hundred devices to millions of devices connected to the internet.

Most victims to botnets are home-based computers with weak security protocols and ineffective firewalls. Malware like Trojan viruses are usually situated in vulnerable websites which, if accessed by an unsecured digital device, can install the malicious program on the computer. Computers can also fall victims to botnets if their users open email attachments that have malware embedded in them. Once the malware program has been installed to a device, the bots contact the herder through a site or server called the Command-and-Control (C&C) server. Most times, the users don’t know that their computers have been compromised as the programs silently get installed and remain hidden until called to action by their maker. A herder who has access to the C&C server and has garnered enough devices or zombies on the network for the intended attack can send out a single command to the bots now distributed over the world.

Why Use a Botnet? 

A botnet can be used for different reasons. A botherder can intend to use a botnet to carry out a Distributed Denial of Service (DDoS) attack where it uses its zombies to send fake requests and traffic to a host of websites. The traffic received by these sites may be too overwhelming to manage, causing the websites to shut down and be inaccessible to their legitimate users. In 2016, a botnet called Mirai was used to propagate the server of a domain name provider, Dyn. In this case, the botnet comprised of thousands of Internet of Technology (IoT) devices such as webcams, cameras, and DVRs that were connected to the internet. Because Dyn was a host to multiple websites like Amazon and Netflix, when its server was compromised, this also affected the operations of the websites it hosted.

A botnet can also be used to carry out ransomware attacks on individuals and businesses. The infiltrated computers can be used to send out massive spam emails with corrupted attachments to thousands of computer devices. Access to any of these attachments will trigger a ransomware attack where data is encrypted and locked, and which can only be unlocked if the ransom demanded is paid within a specified time period. In 2016, a botnet called Necurs which hosts over 6 million devices on its network carried out a ransomware attack on the Hollywood Presbyterian Medical Center. The hospital’s medical records were released after the hospital paid out $17,000 in Bitcoins.

Botnets can be used to steal sensitive information that is stored on computers. Once data is breached and the information is stolen, the herders can sell this information in underground web marketplaces that transact in illegal commodities.

Botherders with an established network of zombies would sometimes sell access to their botnets to other cybercriminals. The herder can sell the use or temporary access of his botnets or he can sell them outright for a one-time fee.