Editing Botnet

{{Short description|Collection of compromised internet-connected devices controlled by a third party}}
{{Use dmy dates|date=December 2020}}
[[File:Stachledraht DDos Attack.svg|thumb|[[Stacheldraht]] botnet diagram showing a DDoS attack (Note this is also an example of a type of client–server model of a botnet.)]]
A '''botnet''' is a group of [[Internet]]-connected devices, each of which runs one or more [[Internet bot|bots]]. Botnets can be used to perform [[distributed denial-of-service attack|distributed denial-of-service]] (DDoS) attacks, steal data,<ref>{{cite web|title=Thingbots: The Future of Botnets in the Internet of Things|url=https://securityintelligence.com/thingbots-the-future-of-botnets-in-the-internet-of-things/|website=Security Intelligence|access-date=28 July 2017|date=20 February 2016|archive-date=7 January 2023|archive-url=https://web.archive.org/web/20230107150903/https://securityintelligence.com/thingbots-the-future-of-botnets-in-the-internet-of-things/|url-status=live}}</ref> send [[Spamming|spam]], and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software.<ref>{{Cite web |url= https://www.techopedia.com/definition/384/botnet |title= botnet |access-date= 9 June 2016 |archive-date= 7 January 2023 |archive-url= https://web.archive.org/web/20230107150904/https://www.techopedia.com/definition/384/botnet |url-status= live }}</ref> The word "botnet" is a [[portmanteau]] of the words "[[robot]]" and "[[Computer network|network]]". The term is usually used with a negative or malicious connotation.

==Overview==
A botnet is a logical collection of [[Internet]]-connected devices, such as computers, [[smartphone]]s or [[Internet of things]] (IoT) devices whose [[Computer security|security]] have been breached and control ceded to a third party. Each compromised device, known as a "bot," is created when a device is penetrated by software from a ''[[malware]]'' (malicious software) distribution. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based [[network protocol]]s, such as [[IRC]] and [[Hypertext Transfer Protocol]] (HTTP).<ref>{{cite web |url=http://www.sans.org/reading-room/whitepapers/malicious/bots-botnet-overview-1299 |title=Bots &; Botnet: An Overview |last=Ramneek |first=Puri |date=2003-08-08 |publisher=[[SANS Institute]] |access-date=12 November 2013 |archive-date=12 July 2015 |archive-url=https://web.archive.org/web/20150712184404/http://www.sans.org/reading-room/whitepapers/malicious/bots-botnet-overview-1299 |url-status=live }}</ref><ref>{{Cite book|last1=Putman|first1=C. G. J.|last2=Abhishta|last3=Nieuwenhuis|first3=L. J. M.|title=2018 26th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP) |chapter=Business Model of a Botnet |date=March 2018|pages=441–445|doi=10.1109/PDP2018.2018.00077|isbn=978-1-5386-4975-6|bibcode=2018arXiv180410848P|arxiv=1804.10848|s2cid=13756969}}</ref>

Botnets are increasingly [[Cyber-arms industry#Online|rented out]] by [[Cybercrime|cyber criminals]] as commodities for a variety of purposes,<ref>{{cite news| last1=Danchev| first1=Dancho| title=Novice cyberciminals offer commercial access to five mini botnets| url=http://www.webroot.com/blog/2013/10/11/novice-cyberciminals-offer-commercial-access-5-mini-botnets/| website=Webroot| access-date=28 June 2015| date=11 October 2013| archive-date=1 July 2015| archive-url=https://web.archive.org/web/20150701025356/http://www.webroot.com/blog/2013/10/11/novice-cyberciminals-offer-commercial-access-5-mini-botnets/| url-status=live}}</ref> including as [[booter/stresser]] services.

==Architecture==
Botnet architecture has evolved over time in an effort to evade detection and disruption. Traditionally, bot programs are constructed as [[Client–server model|clients]] which communicate via existing servers. This allows the '''bot herder''' (the controller of the botnet) to perform all control from a remote location, which obfuscates the traffic.<ref name=":1" /> Many recent botnets now rely on existing [[Peer-to-peer|peer-to-peer networks]] to communicate. These P2P bot programs perform the same actions as the client–server model, but they do not require a central server to communicate.

===Client–server model===
[[File:Server-based-network.svg|thumb|right|250px|A network based on the [[client–server model]], where individual clients request services and resources from centralized servers]]
The first botnets on the Internet used a client–server model to accomplish their tasks.<ref>{{Cite web|title=Botnets: Definition, Types, How They Work|url=https://www.crowdstrike.com/cybersecurity-101/botnets/|access-date=2021-04-18|website=Crowdstrike|language=en|archive-date=10 January 2023|archive-url=https://web.archive.org/web/20230110154909/https://www.crowdstrike.com/cybersecurity-101/botnets/|url-status=live}}</ref> Typically, these botnets operate through [[Internet Relay Chat]] networks, [[Network domain|domains]], or [[website]]s. Infected clients access a predetermined location and await incoming commands from the server. The bot herder sends commands to the server, which relays them to the clients. Clients execute the commands and report their results back to the bot herder.

In the case of [[IRC bot|IRC botnets]], infected clients connect to an infected IRC [[Server (computing)|server]] and join a channel pre-designated for C&C by the bot herder. The bot herder sends commands to the channel via the IRC server. Each client retrieves the commands and executes them. Clients send messages back to the IRC channel with the results of their actions.<ref name=":1">{{Cite book |doi=10.1016/B978-159749135-8/50004-4| title=Botnets| last1=Schiller| first1=Craig A.| last2=Binkley| first2=Jim| last3=Harley| first3=David| last4=Evron| first4=Gadi| last5=Bradley| first5=Tony| last6=Willems| first6=Carsten| last7=Cross| first7=Michael| date=January 1, 2007 |publisher=Syngress| isbn=9781597491358| location=Burlington, Virginia| pages=29–75}}</ref>

===Peer-to-peer===
[[File:P2P-network.svg|thumb|250px|A peer-to-peer (P2P) network in which interconnected nodes ("peers") share resources among each other without the use of a centralized administrative system]]

In response to efforts to detect and decapitate IRC botnets, bot herders have begun deploying malware on [[peer-to-peer]] networks. These bots may use [[digital signature]]s so that only someone with access to the private key can control the botnet,<ref name=":0">{{Cite journal | last=Heron| first=Simon| date=April 1, 2007| title=Botnet command and control techniques| journal=Network Security| volume=2007| issue=4| pages=13–16| doi=10.1016/S1353-4858(07)70045-4}}</ref> such as in [[Gameover ZeuS]] and the [[ZeroAccess botnet]].

Newer botnets fully operate over P2P networks. Rather than communicate with a centralized server, P2P bots perform as both a command distribution server and a client which receives commands.<ref>{{cite book|chapter-url=https://books.google.com/books?id=I-9P1EkTkigC&pg=PA335|title=Handbook of Information and Communication Security|publisher=Springer|year=2010|isbn=9783642041174|editor1-first=Mark|editor1-last=Stamp|editor2-first=Peter|editor2-last=Stavroulakis|chapter=Peer-to-peer botnets|first=Ping|last=Wang|access-date=28 July 2016|archive-date=22 June 2024|archive-url=https://web.archive.org/web/20240622185954/https://books.google.com/books?id=I-9P1EkTkigC&pg=PA335#v=onepage&q&f=false|url-status=live}}</ref> This avoids having any single point of failure, which is an issue for centralized botnets.

In order to find other infected machines, P2P bots discreetly probe random [[IP address]]es until they identify another infected machine. The contacted bot replies with information such as its software version and list of known bots. If one of the bots' version is lower than the other, they will initiate a file transfer to update.<ref name=":0" /> This way, each bot grows its list of infected machines and updates itself by periodically communicating to all known bots.

==Core components==
A botnet's originator (known as a "[[bot herder]]" or "bot master") controls the botnet remotely. This is known as the command-and-control (C&C). The program for the operation must communicate via a [[covert channel]] to the client on the victim's machine (zombie computer).

===Control protocols===
IRC is a historically favored means of C&C because of its [[List of Internet Relay Chat commands|communication protocol]]. A bot herder creates an IRC channel for infected clients to join. Messages sent to the channel are broadcast to all channel members. The bot herder may set the channel's topic to command the botnet. For example, the message <code>:herder!herder@example.com TOPIC #channel DDoS www.victim.com</code> from the bot herder alerts all infected clients belonging to #channel to begin a DDoS attack on the website www.victim.com. An example response <code>:bot1!bot1@compromised.net PRIVMSG #channel I am DDoSing www.victim.com</code> by a bot client alerts the bot herder that it has begun the attack.<ref name=":0" />

Some botnets implement custom versions of well-known protocols. The implementation differences can be used for detection of botnets. For example, [[Mega-D]] features a slightly modified [[Simple Mail Transfer Protocol]] (SMTP) implementation for testing spam capability. Bringing down the [[Mega-D]]'s SMTP server disables the entire pool of bots that rely upon the same SMTP server.<ref>C.Y. Cho, D. Babic, R. Shin, and D. Song. {{usurped|1=[https://web.archive.org/web/20160924031813/http://www.domagoj-babic.com/index.php/Pubs/CCS10botnets Inference and Analysis of Formal Models of Botnet Command and Control Protocols]}}, 2010 ACM Conference on Computer and Communications Security.</ref>

===Zombie computer===
In [[computer science]], a [[Zombie (computer science)|zombie computer]] is a computer connected to the Internet that has been compromised by a [[hacker]], [[computer virus]] or [[Trojan horse (computing)|trojan horse]] and can be used to perform malicious tasks under remote direction. Botnets of zombie computers are often used to spread [[Email spam|e-mail spam]] and launch [[denial-of-service attack]]s (DDoS). Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to [[zombie]]s. A coordinated DDoS attack by multiple botnet machines also resembles a zombie horde attack.<ref>{{cite web|author=Teresa Dixon Murray|title=Banks can't prevent cyber attacks like those hitting PNC, Key, U.S. Bank this week|url=http://www.cleveland.com/business/index.ssf/2012/09/banks_cant_prevent_cyber_attac.html|publisher=Cleveland.com|access-date=2 September 2014|date=28 September 2012|archive-date=25 July 2015|archive-url=https://web.archive.org/web/20150725071548/http://www.cleveland.com/business/index.ssf/2012/09/banks_cant_prevent_cyber_attac.html|url-status=live}}</ref>

The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping".<ref>{{cite news|last1=Arntz|first1=Pieter|title=The Facts about Botnets|url=https://blog.malwarebytes.com/cybercrime/2015/02/the-facts-about-botnets/|website=Malwarebytes Labs|access-date=27 May 2017|date=30 March 2016|archive-date=17 July 2017|archive-url=https://web.archive.org/web/20170717100925/https://blog.malwarebytes.com/cybercrime/2015/02/the-facts-about-botnets/|url-status=live}}</ref>

==Command and control==
Botnet command and control (C&C) protocols have been implemented in a number of ways, from traditional IRC approaches to more sophisticated versions.

===Telnet===
[[Telnet]] botnets use a simple C&C botnet protocol in which bots connect to the main command server to host the botnet. Bots are added to the botnet by using a scanning [[Scripting language|script]], which runs on an external server and scans [[Subnetwork|IP ranges]] for telnet and [[Secure Shell|SSH]] server default logins. Once a login is found, the scanning server can infect it through SSH with malware, which pings the control server.

===IRC===
IRC networks use simple, low bandwidth communication methods, making them widely used to host botnets. They tend to be relatively simple in construction and have been used with moderate success for coordinating DDoS attacks and spam campaigns while being able to continually switch channels to avoid being taken down. However, in some cases, merely blocking of certain keywords has proven effective in stopping IRC-based botnets. The RFC 1459 ([[Internet Relay Chat|IRC]]) standard is popular with botnets. The first known popular botnet controller script, "MaXiTE Bot" was using IRC XDCC protocol for private control commands.

One problem with using IRC is that each bot client must know the IRC server, port, and channel to be of any use to the botnet. Anti-malware organizations can detect and shut down these servers and channels, effectively halting the botnet attack. If this happens, clients are still infected, but they typically lie dormant since they have no way of receiving instructions.<ref name=":0" /> To mitigate this problem, a botnet can consist of several servers or channels. If one of the servers or channels becomes disabled, the botnet simply switches to another. It is still possible to detect and disrupt additional botnet servers or channels by sniffing IRC traffic. A botnet adversary can even potentially gain knowledge of the control scheme and imitate the bot herder by issuing commands correctly.<ref>{{Cite book |doi=10.1016/B978-159749135-8/50005-6 |title= Botnets|last1=Schiller |first1=Craig A. |last2= Binkley |first2=Jim |last3=Harley |first3= David | last4=Evron |first4=Gadi |last5= Bradley |first5=Tony |last6=Willems |first6= Carsten |last7= Cross |first7= Michael |chapter= Alternative Botnet C&Cs|date= January 1, 2007 |isbn= 978-159749135-8 |publisher=Syngress|location= Burlington, Virginia |pages= 77–95}}</ref>

===P2P===
Since most botnets using IRC networks and domains can be taken down with time, hackers have moved to P2P botnets with C&C to make the botnet more resilient and resistant to termination.

Some have also used [[encryption]] as a way to secure or lock down the botnet from others, most of the time when they use encryption it is [[public-key cryptography]] and has presented challenges in both implementing it and breaking it.

===Domains===
Many large botnets tend to use domains rather than IRC in their construction (see [[Rustock botnet]] and [[Srizbi botnet]]). They are usually hosted with [[bulletproof hosting]] services. This is one of the earliest types of C&C. A zombie computer accesses a specially-designed webpage or domain(s) which serves the list of controlling commands. The advantages of using [[web page]]s or domains as C&C is that a large botnet can be effectively controlled and maintained with very simple code that can be readily updated.

Disadvantages of using this method are that it uses a considerable amount of bandwidth at large scale, and domains can be quickly seized by government agencies with little effort. If the domains controlling the botnets are not seized, they are also easy targets to compromise with [[denial-of-service attack]]s.

[[Fast flux|Fast-flux DNS]] can be used to make it difficult to track down the control servers, which may change from day to day. Control servers may also hop from DNS domain to DNS domain, with [[domain generation algorithm]]s being used to create new DNS names for controller servers.

Some botnets use free [[Domain Name System|DNS]] hosting services such as [[DynDNS|DynDns.org]], [[No-IP|No-IP.com]], and Afraid.org to point a [[subdomain]] towards an IRC server that harbors the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet.

===Others===
Calling back to popular sites<ref>{{cite web|last1=Zeltser|first1=Lenny|title=When Bots Use Social Media for Command and Control|url=https://zeltser.com/bots-command-and-control-via-social-media/|website=zeltser.com|access-date=27 May 2017|archive-date=7 October 2017|archive-url=https://web.archive.org/web/20171007221426/https://zeltser.com/bots-command-and-control-via-social-media/|url-status=live}}</ref> such as [[GitHub]],<ref>{{Cite news|url=https://www.zdnet.com/article/hammertoss-russian-hackers-target-the-cloud-twitter-github-in-malware-spread/|title=Hammertoss: Russian hackers target the cloud, Twitter, GitHub in malware spread|last=Osborne|first=Charlie|work=ZDNet|access-date=7 October 2017|archive-date=18 February 2017|archive-url=https://web.archive.org/web/20170218061944/http://www.zdnet.com/article/hammertoss-russian-hackers-target-the-cloud-twitter-github-in-malware-spread/|url-status=live}}</ref> [[Twitter]],<ref>{{cite magazine|last1=Singel|first1=Ryan|title=Hackers Use Twitter to Control Botnet|url=https://www.wired.com/2009/08/botnet-tweets/|magazine=[[Wired (magazine)|Wired]]|access-date=27 May 2017|date=13 August 2009|archive-date=7 October 2017|archive-url=https://web.archive.org/web/20171007221457/https://www.wired.com/2009/08/botnet-tweets/|url-status=live}}</ref><ref>{{cite news|title=First Twitter-controlled Android botnet discovered|url=https://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/|access-date=27 May 2017|date=24 August 2016|archive-date=3 July 2017|archive-url=https://web.archive.org/web/20170703095215/https://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/|url-status=live}}</ref> [[Reddit]],<ref>{{cite news |last1=Gallagher |first1=Sean |date=3 October 2014 |title=Reddit-powered botnet infected thousands of Macs worldwide |url=https://arstechnica.com/security/2014/10/reddit-powered-botnet-infected-thousands-of-macs-worldwide/ |access-date=27 May 2017 |magazine=[[Ars Technica]] |archive-date=23 April 2017 |archive-url=https://web.archive.org/web/20170423230321/https://arstechnica.com/security/2014/10/reddit-powered-botnet-infected-thousands-of-macs-worldwide/ |url-status=live }}</ref> [[Instagram]],<ref>{{cite news|last1=Cimpanu|first1=Catalin|title=Russian State Hackers Use Britney Spears Instagram Posts to Control Malware|url=https://www.bleepingcomputer.com/news/security/russian-state-hackers-use-britney-spears-instagram-posts-to-control-malware/|website=Bleeping Computer|access-date=8 June 2017|date=6 June 2017|archive-date=8 June 2017|archive-url=https://web.archive.org/web/20170608094128/https://www.bleepingcomputer.com/news/security/russian-state-hackers-use-britney-spears-instagram-posts-to-control-malware/|url-status=live}}</ref> the [[XMPP]] open source instant message protocol<ref>{{cite news|last1=Dorais-Joncas|first1=Alexis|title=Walking through Win32/Jabberbot.A instant messaging C&C|url=https://www.welivesecurity.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc/|access-date=27 May 2017|date=30 January 2013|archive-date=2 June 2017|archive-url=https://web.archive.org/web/20170602205712/https://www.welivesecurity.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc/|url-status=live}}</ref> and [[Tor (anonymity network)|Tor]] [[.onion|hidden services]]<ref>{{cite news|last1=Constantin|first1=Lucian|title=Cybercriminals are using the Tor network to control their botnets|url=http://www.pcworld.com/article/2045183/cybercriminals-increasingly-use-the-tor-network-to-control-their-botnets-researchers-say.html|magazine=[[PC World]]|access-date=27 May 2017|date=25 July 2013|archive-date=3 August 2017|archive-url=https://web.archive.org/web/20170803064226/http://www.pcworld.com/article/2045183/cybercriminals-increasingly-use-the-tor-network-to-control-their-botnets-researchers-say.html|url-status=live}}</ref> are popular ways of avoiding [[egress filtering]] to communicate with a C&C server.<ref>{{cite web|title=Cisco ASA Botnet Traffic Filter Guide|url=https://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/guide/asa-botnet.html|access-date=27 May 2017|archive-date=25 May 2017|archive-url=https://web.archive.org/web/20170525185701/http://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/guide/asa-botnet.html|url-status=live}}</ref>

==Construction==
===Traditional===
This example illustrates how a botnet is created and used for malicious gain.

# A hacker purchases or builds a Trojan and/or exploit kit and uses it to start infecting users' computers, whose payload is a malicious application—the ''bot''.
# The ''bot'' instructs the infected PC to connect to a particular command-and-control (C&C) server. (This allows the botmaster to keep logs of how many bots are active and online.)
# The botmaster may then use the bots to gather keystrokes or use form grabbing to steal online credentials and may rent out the botnet as DDoS and/or spam as a service or sell the credentials online for a profit.
# Depending on the quality and capability of the bots, the value is increased or decreased.

Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.<ref>{{Cite magazine |last=Berinato |first=Scott |date=November 2006 |title=Attack of the Bots |url=https://archive.wired.com/wired/archive/14.11/botnet.html |url-status=dead |archive-url=https://web.archive.org/web/20140714120508/https://archive.wired.com/wired/archive/14.11/botnet.html |archive-date=July 14, 2014 |magazine=[[Wired (magazine)|Wired]]}}</ref>

Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a [[drive-by download]], exploiting [[browser exploit|web browser vulnerabilities]], or by tricking the user into running a [[Trojan horse (computing)|Trojan horse]] program, which may come from an email attachment. This malware will typically install modules that allow the computer to be commanded and controlled by the botnet's operator. After the software is downloaded, it will call home (send a reconnection [[Network packet|packet]]) to the host computer. When the re-connection is made, depending on how it is written, a Trojan may then delete itself or may remain present to update and maintain the modules.

===Others===
In some cases, a botnet may be temporarily created by volunteer [[Hacktivism|hacktivist]]s, such as with implementations of the [[Low Orbit Ion Cannon]] as used by [[4chan]] members during [[Project Chanology]] in 2010.<ref>{{cite web |last=Norton |first=Quinn |url=https://www.wired.com/threatlevel/2011/12/anonymous-101-part-deux/3/ |title=Anonymous 101 Part Deux: Morals Triumph Over Lulz |publisher=Wired.com |date=2012-01-01 |access-date=2013-11-22 |archive-date=2 February 2013 |archive-url=https://web.archive.org/web/20130202151950/http://www.wired.com/threatlevel/2011/12/anonymous-101-part-deux/3/ |url-status=live }}</ref>

China's [[Great Cannon|Great Cannon of China]] allows the modification of legitimate web browsing traffic at [[internet backbone]]s into China to create a large ephemeral botnet to attack large targets such as [[GitHub]] in 2015.<ref name="WSP-China-Deploys-New-Weapon-Online-Censorship-Great-Cannon">{{cite news | url=https://www.washingtonpost.com/blogs/the-switch/wp/2015/04/10/china-escalates-censorship-efforts-with-debut-of-offensive-cyber-weapon-researchers-say/ | title=China deploys new weapon for online censorship in form of 'Great Cannon' | newspaper=The Washington Post | date=10 April 2015 | access-date=10 April 2015 | author=Peterson, Andrea | archive-date=17 April 2015 | archive-url=https://web.archive.org/web/20150417191136/http://www.washingtonpost.com/blogs/the-switch/wp/2015/04/10/china-escalates-censorship-efforts-with-debut-of-offensive-cyber-weapon-researchers-say/ | url-status=live }}</ref>

==Common uses==
* [[Denial-of-service attack|Distributed denial-of-service attacks]] are one of the most common uses for botnets, in which multiple systems submit as many requests as possible to a single Internet computer or service, overloading it and preventing it from servicing legitimate requests. An example is an attack on a victim's server. The victim's server is bombarded with requests by the bots, attempting to connect to the server, therefore, overloading it. [[Google]] fraud czar [[Shuman Ghosemajumder]] has said that these types of attacks causing outages on major websites will continue to occur regularly due the use of botnets as a service.<ref>{{Cite web |date=2016-10-24 |title=Here's why massive website outages will continue happening |url=https://www.vox.com/2016/10/24/13393922/ddos-attack-denial-service-cybercriminals-hackers |access-date=2022-07-31 |website=Vox |language=en |archive-date=10 October 2022 |archive-url=https://web.archive.org/web/20221010183252/https://www.vox.com/2016/10/24/13393922/ddos-attack-denial-service-cybercriminals-hackers |url-status=live }}</ref>
* [[Spyware]] is software which sends information to its creators about a user's activities&nbsp;– typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential corporate information. Several targeted attacks on large corporations aimed to steal sensitive information, such as the Aurora botnet.<ref>{{cite web|url=http://www.damballa.com/research/aurora/ |title=Operation Aurora&nbsp;— The Command Structure |publisher=Damballa.com |access-date=30 July 2010 |url-status=dead |archive-url=https://web.archive.org/web/20100611140112/http://www.damballa.com/research/aurora/ |archive-date=11 June 2010 }}</ref>
* [[E-mail spam]] are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious.
* [[Click fraud]] occurs when the user's computer visits websites without the user's awareness to create false web traffic for personal or commercial gain.<ref>{{cite news|last1=Edwards|first1=Jim|title=This Is What It Looks Like When A Click-Fraud Botnet Secretly Controls Your Web Browser|url=https://www.businessinsider.com/this-is-what-it-looks-like-when-a-click-fraud-botnet-secretly-controls-your-web-browser-2013-11|access-date=27 May 2017|date=27 November 2013|archive-date=23 July 2017|archive-url=https://web.archive.org/web/20170723021027/http://uk.businessinsider.com/this-is-what-it-looks-like-when-a-click-fraud-botnet-secretly-controls-your-web-browser-2013-11|url-status=live}}</ref>
*[[Ad fraud]] is often a consequence of malicious bot activity, according to CHEQ, Ad Fraud 2019, The Economic Cost of Bad Actors on the Internet.<ref>{{cite web|url=https://www.ftc.gov/system/files/documents/reports/social-media-bots-advertising-ftc-report-congress/socialmediabotsreport.pdf|title=Social Media Bots and Deceptive Advertising|author=FTC|access-date=26 July 2020|archive-date=22 June 2024|archive-url=https://web.archive.org/web/20240622185935/https://www.ftc.gov/system/files/documents/reports/social-media-bots-advertising-ftc-report-congress/socialmediabotsreport.pdf|url-status=live}}</ref> Commercial purposes of bots include influencers using them to boost their supposed popularity, and online publishers using bots to increase the number of clicks an ad receives, allowing sites to earn more commission from advertisers.
*[[Credential stuffing]] attacks use botnets to log in to many user accounts with stolen passwords, such as in the attack against General Motors in 2022.<ref>{{Cite web |last=Burt |first=Jeff |title=Credential-stuffing attack on GM exposes car owners' data |url=https://www.theregister.com/2022/05/25/gm-credential-stuffing-attack/ |access-date=2022-07-31 |website=www.theregister.com |language=en |archive-date=31 July 2022 |archive-url=https://web.archive.org/web/20220731225421/https://www.theregister.com/2022/05/25/gm-credential-stuffing-attack/ |url-status=live }}</ref>
* [[Bitcoin]] mining was used in some of the more recent botnets have which include bitcoin mining as a feature in order to generate profits for the operator of the botnet.<ref>{{cite news|last1=Nichols|first1=Shaun|title=Got a botnet? Thinking of using it to mine Bitcoin? Don't bother|url=https://www.theregister.co.uk/2014/06/24/bad_news_malware_infections_are_mining_bitcoin_good_news_theyre_not_making_any_money/|access-date=27 May 2017|date=24 June 2014|archive-date=14 September 2017|archive-url=https://web.archive.org/web/20170914122708/https://www.theregister.co.uk/2014/06/24/bad_news_malware_infections_are_mining_bitcoin_good_news_theyre_not_making_any_money/|url-status=live}}</ref><ref>{{cite web |url=https://www.bitcoinmining.com/ |title=Bitcoin Mining |publisher=BitcoinMining.com |access-date=30 April 2016 |url-status=bot: unknown |archive-url=https://web.archive.org/web/20160419183054/https://www.bitcoinmining.com/ |archive-date=19 April 2016 }}</ref>
* Self-spreading functionality, to seek for pre-configured command-and-control (CNC) pushed instruction contains targeted devices or network, to aim for more infection, is also spotted in several botnets. Some of the botnets are utilizing this function to automate their infections.

==Market==
The botnet controller community constantly competes over who has the most bots, the highest overall bandwidth, and the most "high-quality" infected machines, like university, corporate, and even government machines.<ref>{{cite web|title=Trojan horse, and Virus FAQ|url=http://www.dslreports.com/faq/trojans/1.0_Trojan_horses|publisher=DSLReports|access-date=7 April 2011|archive-date=20 October 2012|archive-url=https://web.archive.org/web/20121020212730/http://www.dslreports.com/faq/trojans/1.0_Trojan_horses|url-status=live}}</ref>

While botnets are often named after the malware that created them, multiple botnets typically use the same malware but are operated by different entities.<ref>[https://www.damballa.com/downloads/d_pubs/WP%20Many-to-Many%20Botnet%20Relationships%20%282009-05-21%29.pdf Many-to-Many Botnet Relationships] {{Webarchive|url=https://web.archive.org/web/20160304032808/https://www.damballa.com/downloads/d_pubs/WP%20Many-to-Many%20Botnet%20Relationships%20(2009-05-21).pdf |date=4 March 2016 }}, ''Damballa'', 8 June 2009.</ref>

==Phishing==
Botnets can be used for many electronic scams. These botnets can be used to distribute malware such as viruses to take control of a regular users computer/software<ref>{{Cite web|url=https://www.honeynet.org/node/52|title=Uses of botnets {{!}} The Honeynet Project|website=www.honeynet.org|access-date=2019-03-24|archive-date=20 March 2019|archive-url=https://web.archive.org/web/20190320193342/https://www.honeynet.org/node/52|url-status=dead}}</ref> By taking control of someone's personal computer they have unlimited access to their personal information, including passwords and login information to accounts. This is called [[phishing]]. Phishing is the acquiring of login information to the "victim's" accounts with a link the "victim" clicks on that is sent through an email or text.<ref>{{Cite web|url=https://searchsecurity.techtarget.com/definition/phishing|title=What is phishing? - Definition from WhatIs.com|website=SearchSecurity|language=en|access-date=2019-03-24|archive-date=24 March 2019|archive-url=https://web.archive.org/web/20190324185238/https://searchsecurity.techtarget.com/definition/phishing|url-status=live}}</ref> A survey by [[Verizon]] found that around two-thirds of electronic "espionage" cases come from phishing.<ref>{{Cite web|url=https://gizmodo.com/the-number-of-people-who-fall-for-phishing-emails-is-st-1697725476|title=The Number of People Who Fall for Phishing Emails Is Staggering|last=Aguilar|first=Mario|website=Gizmodo|date=14 April 2015|language=en-US|access-date=2019-03-24|archive-date=24 March 2019|archive-url=https://web.archive.org/web/20190324183857/https://gizmodo.com/the-number-of-people-who-fall-for-phishing-emails-is-st-1697725476|url-status=live}}</ref>

==Countermeasures==
The geographic dispersal of botnets means that each recruit must be individually identified/corralled/repaired and limits the benefits of [[firewall (networking)|filtering]].

Computer security experts have succeeded in destroying or subverting malware command and control networks, by, among other means, seizing servers or getting them cut off from the Internet, denying access to domains that were due to be used by malware to contact its C&C infrastructure, and, in some cases, breaking into the C&C network itself.<ref>{{Cite web|url=http://vhosts.eecs.umich.edu/fjgroup//botnets/|title=Detecting and Dismantling Botnet Command and Control Infrastructure using Behavioral Profilers and Bot Informants|website=vhosts.eecs.umich.edu}}</ref><ref>{{cite web|url=https://www.cs.ucsb.edu/~chris/research/doc/acsac12_disclosure.pdf|title=DISCLOSURE: Detecting Botnet Command and Control Servers Through Large-Scale NetFlow Analysis|publisher=ACM|work=Annual Computer Security Applications Conference|date=Dec 2012|access-date=16 June 2017|archive-date=4 March 2016|archive-url=https://web.archive.org/web/20160304055119/https://www.cs.ucsb.edu/~chris/research/doc/acsac12_disclosure.pdf|url-status=live}}</ref><ref>{{cite conference|citeseerx = 10.1.1.110.8092|title=BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic|date=2008|conference=Proceedings of the 15th Annual Network and Distributed System Security Symposium}}</ref> In response to this, C&C operators have resorted to using techniques such as overlaying their C&C networks on other existing benign infrastructure such as [[IRC]] or [[Tor (anonymity network)|Tor]], using [[peer-to-peer networking]] systems that are not dependent on any fixed servers, and using [[public key encryption]] to defeat attempts to break into or spoof the network.<ref>{{Cite web|title=IRCHelp.org – Privacy on IRC|url=http://www.irchelp.org/security/privacy.html|access-date=2020-11-21|website=www.irchelp.org|archive-date=22 June 2024|archive-url=https://web.archive.org/web/20240622190003/https://www.irchelp.org/security/privacy.html|url-status=live}}</ref>

[[Norton AntiBot]] was aimed at consumers, but most target enterprises and/or ISPs. Host-based techniques use heuristics to identify bot behavior that has bypassed conventional [[anti-virus software]]. Network-based approaches tend to use the techniques described above; shutting down C&C servers, null-routing DNS entries, or completely shutting down IRC servers. [[BotHunter]] is software, developed with support from the [[U.S. Army Research Office]], that detects botnet activity within a network by analyzing network traffic and comparing it to patterns characteristic of malicious processes.

Researchers at [[Sandia National Laboratories]] are analyzing botnets' behavior by simultaneously running one million Linux kernels—a similar scale to a botnet—as [[virtual machines]] on a 4,480-node high-performance [[computer cluster]] to emulate a very large network, allowing them to watch how botnets work and experiment with ways to stop them.<ref>{{cite web |url=https://www.eweek.com/security/researchers-boot-million-linux-kernels-to-help-botnet-research/ |title=Researchers Boot Million Linux Kernels to Help Botnet Research |publisher=IT Security & Network Security News |date=2009-08-12 |access-date=16 August 2024 }}</ref>

Detecting automated bot becomes more difficult as newer and more sophisticated generations of bots get launched by attackers. For example, an automated attack can deploy a large bot army and apply brute-force methods with highly accurate username and password lists to hack into accounts. The idea is to overwhelm sites with tens of thousands of requests from different IPs all over the world, but with each bot only submitting a single request every 10 minutes or so, which can result in more than 5 million attempts per day.<ref>{{cite web |url=https://www.darkreading.com/endpoint/brute-force-botnet-attacks-now-elude-volumetric-detection/a/d-id/1327742 |title=Brute-Force Botnet Attacks Now Elude Volumetric Detection |publisher=DARKReading from [[Information Week]] |date=2016-12-19 |access-date=14 November 2017 |archive-date=14 November 2017 |archive-url=https://web.archive.org/web/20171114202538/https://www.darkreading.com/endpoint/brute-force-botnet-attacks-now-elude-volumetric-detection/a/d-id/1327742 |url-status=live }}</ref> In these cases, many tools try to leverage volumetric detection, but automated bot attacks now have ways of circumventing triggers of volumetric detection.

One of the techniques for detecting these bot attacks is what's known as "signature-based systems" in which the software will attempt to detect patterns in the request packet. However, attacks are constantly evolving, so this may not be a viable option when patterns cannot be discerned from thousands of requests. There is also the behavioral approach to thwarting bots, which ultimately tries to distinguish bots from humans. By identifying non-human behavior and recognizing known bot behavior, this process can be applied at the user, browser, and network levels.

The most capable method of using software to combat against a virus has been to utilize [[Honeypot (computing)|honeypot]] software in order to convince the malware that a system is vulnerable. The malicious files are then analyzed using forensic software.

On 15 July 2014, the Subcommittee on Crime and Terrorism of the Committee<ref>{{Cite web |title=Subcommittee on Crime and Terrorism {{!}} United States Senate Committee on the Judiciary |url=https://www.judiciary.senate.gov/about/subcommittees/subcommittee-on-crime-and-terrorism |access-date=2022-12-11 |website=www.judiciary.senate.gov |language=en |archive-date=11 December 2022 |archive-url=https://web.archive.org/web/20221211154024/https://www.judiciary.senate.gov/about/subcommittees/subcommittee-on-crime-and-terrorism |url-status=live }}</ref> on the Judiciary, [[United States Senate]], held a hearing on the threats posed by botnets and the public and private efforts to disrupt and dismantle them.<ref>{{cite book |last1=United States. Congress. Senate. Committee on the Judiciary. Subcommittee on Crime and Terrorism |title=Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks: Hearing before the Subcommittee on Crime and Terrorism of the Committee on the Judiciary, United States Senate, One Hundred Thirteenth Congress, Second Session, July 15, 2014 |date=2018 |publisher=U.S. Government Publishing Office |location=Washington, DC |url=https://purl.fdlp.gov/GPO/gpo110983 |access-date=18 November 2018 |archive-date=22 June 2024 |archive-url=https://web.archive.org/web/20240622190005/https://purl.fdlp.gov/GPO/gpo110983 |url-status=live }}</ref>

The rise in vulnerable IoT devices has led to an increase in IoT-based botnet attacks. To address this, a novel network-based anomaly detection method for IoT called N-BaIoT was introduced. It captures network behavior snapshots and employs deep autoencoders to identify abnormal traffic from compromised IoT devices. The method was tested by infecting nine IoT devices with Mirai and BASHLITE botnets, showing its ability to accurately and promptly detect attacks originating from compromised IoT devices within a botnet.<ref>{{Cite journal |last=Meidan |first=Yair |date=2018 |title=N-BaIoT-Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders |journal=IEEE Pervasive Computing |volume=17 |issue=3 |pages=12–22|doi=10.1109/MPRV.2018.03367731 |arxiv=1805.03409 |s2cid=13677639 }}</ref>

Additionally, comparing different ways of detecting botnets is really useful for researchers. It helps them see how well each method works compared to others. This kind of comparison is good because it lets researchers evaluate the methods fairly and find ways to make them better.<ref>{{Cite journal |last1=García |first1=S. |last2=Grill |first2=M. |last3=Stiborek |first3=J. |last4=Zunino |first4=A. |date=2014-09-01 |title=An empirical comparison of botnet detection methods |url=https://www.sciencedirect.com/science/article/pii/S0167404814000923 |journal=Computers & Security |volume=45 |pages=100–123 |doi=10.1016/j.cose.2014.05.011 |issn=0167-4048 |hdl=11336/6772 |hdl-access=free |access-date=8 December 2023 |archive-date=9 December 2022 |archive-url=https://web.archive.org/web/20221209131230/https://www.sciencedirect.com/science/article/pii/S0167404814000923 |url-status=live }}</ref>

==Historical list of botnets==
The first botnet was first acknowledged and exposed by [[EarthLink]] during a lawsuit with notorious spammer Khan C. Smith<ref>{{cite web|last=Credeur|first=Mary|title=Atlanta Business Chronicle, Staff Writer|url=http://www.bizjournals.com/atlanta/stories/2002/07/22/story4.html?page=all|publisher=bizjournals.com|access-date=22 July 2002|archive-date=22 March 2019|archive-url=https://web.archive.org/web/20190322141415/https://www.bizjournals.com/atlanta/stories/2002/07/22/story4.html?page=all|url-status=live}}</ref> in 2001. The botnet was constructed for the purpose of bulk spam, and accounted for nearly 25% of all spam at the time.<ref name="Mary Jane Credeur">{{cite web | url=https://www.bizjournals.com/atlanta/stories/2002/07/22/story4.html | title=EarthLink wins $25 million lawsuit against junk e-mailer | date=22 July 2002 | access-date=10 December 2018 | author=Mary Jane Credeur | archive-date=23 March 2019 | archive-url=https://web.archive.org/web/20190323132359/https://www.bizjournals.com/atlanta/stories/2002/07/22/story4.html | url-status=live }}</ref>

Around 2006, to thwart detection, some botnets were scaling back in size.<ref>{{Cite journal |url=http://www.computer.org/csdl/mags/co/2006/04/r4017.pdf |volume=39 |issue=4 |pages=17–19 |date=April 2006 |doi=10.1109/MC.2006.136 |quote=The size of bot networks peaked in mid-2004, with many using more than 100,000 infected machines, according to Mark Sunner, chief technology officer at MessageLabs. The average botnet size is now about 20,000 computers, he said. |last1=Paulson |first1=L.D. |title=News Briefs: Hackers Strengthen Malicious Botnets by Shrinking Them |journal=Computer |s2cid=10312905 |access-date=12 November 2013 |archive-date=12 November 2013 |archive-url=https://web.archive.org/web/20131112144926/http://www.computer.org/csdl/mags/co/2006/04/r4017.pdf |url-status=live }}</ref>

The following is a non-exhaustive list of some historical botnets.
{| class="wikitable sortable"
|-
! Date created
! Date dismantled
! Name
! data-sort-type="number" | Estimated no. of bots
! data-sort-type="number" | Spam capacity (bn/day)
! Aliases
|- style="display:none;"
|1999||!a||999,999,999||100000||!a
|-
| 2002
| 
| MaXiTE
| 500-1000 servers
| 0
| MaXiTE XDCC Bot, MaXiTE IRC TCL Script, MaxServ
|-
| Unknown<ref name="cuevas2015"/> (no later than 2004<ref name="Ogu2019">{{cite journal
  |title=A Botnets Circumspection: The Current Threat Landscape, and What We Know So Far
  |last1=Ogu |first1=Emmanuel C.
  |last2=Ojesanmi |first2=Olusegun A.
  |last3=Awodele |first3=Oludele
  |last4=Kuyoro |first4=‘Shade
  |journal=Information
  |date=2019
  |volume=10
  |issue=11
  |doi=10.3390/info10110337
  |doi-access=free
  |url=https://www.mdpi.com/2078-2489/10/11/337
  |access-date=7 April 2025
}}</ref>)
| 
| Marina Botnet
| 6,215,000<ref name="cuevas2015">{{cite web |last1=Cuevas |first1=Alejandro |title=Botnets: Zombies, Spam, and Attacks |url=http://sites.psu.edu/psucybersecuritycuevas/2015/02/18/botnets-zombies-spam-and-attacks/ |url-status=dead |archive-url=https://web.archive.org/web/20150612121032/http://sites.psu.edu/psucybersecuritycuevas/2015/02/18/botnets-zombies-spam-and-attacks/ |archive-date=12 June 2015 |date=18 February 2015}}</ref>
| 92	
|
|-
|  
| 
| [[Torpig]]
| 180,000<ref name=scmagazineus>{{cite web|author=Chuck Miller |url=http://www.scmagazine.com/researchers-hijack-control-of-torpig-botnet/article/136207/ |title=Researchers hijack control of Torpig botnet |publisher=SC Magazine US |date=2009-05-05 |access-date=7 November 2011 |archive-url=https://web.archive.org/web/20071224115139/http://tech.blorge.com/Structure:%20/2007/10/21/2483/ |archive-date=24 December 2007 |url-status=dead}}</ref>
|  
| Sinowal, Anserin
|-
|  
| 
| [[Storm botnet|Storm]]
| 160,000<ref>{{cite web |url=http://tech.blorge.com/Structure:%20/2007/10/21/2483/ |title=Storm Worm network shrinks to about one-tenth of its former size |publisher=Tech.Blorge.Com |date=2007-10-21 |access-date=30 July 2010 |archive-url=https://web.archive.org/web/20071224115139/http://tech.blorge.com/Structure:%20/2007/10/21/2483/ |archive-date=24 December 2007 |url-status=dead}}</ref>
| 3
| Nuwar, Peacomm, Zhelatin
|-
| 2006 (around)
| 2011 (March)
| [[Rustock botnet|Rustock]]
| 150,000<ref>{{cite web |author=Chuck Miller |url=http://www.scmagazine.com/the-rustock-botnet-spams-again/article/112940/ |title=The Rustock botnet spams again |publisher=SC Magazine US |date=2008-07-25 |access-date=30 July 2010 |archive-date=4 April 2016 |archive-url=https://web.archive.org/web/20160404181502/http://www.scmagazine.com/the-rustock-botnet-spams-again/article/112940/ |url-status=dead }}</ref>
| 30
| RKRustok, Costrat
|-
|  
| 
| [[Donbot botnet|Donbot]]
| 125,000<ref>{{cite web|last1=Stewart|first1=Joe|title=Spam Botnets to Watch in 2009|url=https://www.secureworks.com/research/botnets2009|website=Secureworks.com|date=13 January 2009|publisher=SecureWorks|access-date=9 March 2016|archive-date=5 March 2016|archive-url=https://web.archive.org/web/20160305043334/https://www.secureworks.com/research/botnets2009|url-status=live}}</ref>
| 0.8
| Buzus, Bachsoy
|-
| 2007 (around)
| 
| [[Cutwail botnet|Cutwail]]
| 1,500,000<ref>{{cite web |url=http://msmvps.com/blogs/harrywaldron/archive/2010/02/02/pushdo-botnet-new-ddos-attacks-on-major-web-sites.aspx |title=Pushdo Botnet&nbsp;— New DDOS attacks on major web sites&nbsp;— Harry Waldron&nbsp;— IT Security |publisher=Msmvps.com |date=2010-02-02 |access-date=30 July 2010 |url-status=dead |archive-url=https://web.archive.org/web/20100816044216/http://msmvps.com/blogs/harrywaldron/archive/2010/02/02/pushdo-botnet-new-ddos-attacks-on-major-web-sites.aspx |archive-date=16 August 2010}}</ref>
| 74
| Pandex, Mutant (related to: Wigon, Pushdo)
|-
| 2007
| 
| [[Akbot]]
| 1,300,000<ref>{{cite news |url=http://www.h-online.com/security/news/item/New-Zealand-teenager-accused-of-controlling-botnet-of-1-3-million-computers-734068.html |title=New Zealand teenager accused of controlling botnet of 1.3 million computers |publisher=The H security |date=2007-11-30 |access-date=12 November 2011 |archive-date=8 March 2013 |archive-url=https://web.archive.org/web/20130308194659/http://www.h-online.com/security/news/item/New-Zealand-teenager-accused-of-controlling-botnet-of-1-3-million-computers-734068.html |url-status=live }}</ref>
|  
| 
|-
| 2007 (March)
| 2008 (November)
| [[Srizbi botnet|Srizbi]]
| 450,000<ref>{{cite news |url=http://news.bbc.co.uk/2/hi/technology/7749835.stm |title=Technology &#124; Spam on rise after brief reprieve |work=BBC News |date=2008-11-26 |access-date=24 April 2010 |archive-date=22 May 2010 |archive-url=https://web.archive.org/web/20100522041420/http://news.bbc.co.uk/2/hi/technology/7749835.stm |url-status=live }}</ref>
| 60
| Cbeplay, Exchanger
|-
| 2008 (around)
| 
| [[Sality]]
| 1,000,000<ref>{{cite web|url=http://www.symantec.com/connect/sites/default/files/sality_peer_to_peer_viral_network.pdf |archive-url=https://web.archive.org/web/20150924121449/http://www.symantec.com/connect/sites/default/files/sality_peer_to_peer_viral_network.pdf |url-status=dead |archive-date=24 September 2015 |title=Sality: Story of a Peer-to-Peer Viral Network |publisher=Symantec |date=2011-08-03 |access-date=12 January 2012}}</ref>
|  
| Sector, Kuku
|-
| 2008 (around)
| [[Mariposa botnet#Dismantling|2009-Dec]]
| [[Mariposa botnet|Mariposa]]
| 12,000,000<ref>{{cite web |url=https://www.theregister.co.uk/2010/03/03/mariposa_botnet_bust_analysis/ |title=How FBI, police busted massive botnet |publisher=theregister.co.uk |access-date=3 March 2010 |archive-date=5 March 2010 |archive-url=https://web.archive.org/web/20100305062930/http://www.theregister.co.uk/2010/03/03/mariposa_botnet_bust_analysis/ |url-status=live }}</ref>
|
| 
|-
|  2008 (around)
| 
| [[Kraken botnet|Kraken]]
| 495,000<ref>{{cite web |url=http://www.darkreading.com/attacks-breaches/new-massive-botnet-twice-the-size-of-storm/d/d-id/1129410? |title=New Massive Botnet Twice the Size of Storm&nbsp;— Security/Perimeter |date=7 April 2008 |publisher=DarkReading |access-date=30 July 2010 |archive-date=11 June 2016 |archive-url=https://web.archive.org/web/20160611001246/http://www.darkreading.com/attacks-breaches/new-massive-botnet-twice-the-size-of-storm/d/d-id/1129410 |url-status=live }}</ref>
| 9
| Kracken
|-
| 2008 (November)
|
| | [[Conficker]]
| 10,500,000+<ref>{{cite web |url=http://www.f-secure.com/weblog/archives/00001584.html |title=Calculating the Size of the Downadup Outbreak&nbsp;— F-Secure Weblog : News from the Lab |publisher=F-secure.com |date=2009-01-16 |access-date=24 April 2010 |archive-date=23 May 2016 |archive-url=https://web.archive.org/web/20160523183505/https://www.f-secure.com/weblog/archives/00001584.html |url-status=live }}</ref>
| 10
| DownUp, DownAndUp, DownAdUp, Kido
|-
| 2008 (November)
| [[Waledac botnet#Operations|2010 (March)]]
| [[Waledac botnet|Waledac]]
| 80,000<ref name=theregister>{{cite web |url=https://www.theregister.co.uk/2010/03/16/waledac_takedown_success/ |title=Waledac botnet 'decimated' by MS takedown |publisher=The Register |date=2010-03-16 |access-date=23 April 2011 |archive-date=18 April 2011 |archive-url=https://web.archive.org/web/20110418200429/http://www.theregister.co.uk/2010/03/16/waledac_takedown_success/ |url-status=live }}</ref>
| 1.5
| Waled, Waledpak
|-
|  
| 
| Onewordsub
| 40,000<ref name=computerworld>{{cite web |author=Gregg Keizer |url=http://www.computerworld.com/s/article/9076278/Top_botnets_control_1M_hijacked_computers |title=Top botnets control 1M hijacked computers |publisher=Computerworld |date=2008-04-09 |access-date=23 April 2011 |archive-date=13 August 2014 |archive-url=https://web.archive.org/web/20140813092704/http://www.computerworld.com/s/article/9076278/Top_botnets_control_1M_hijacked_computers |url-status=dead }}</ref>
| 1.8
|  
|-
|  
| 
| Nucrypt
| 20,000<ref name=computerworld/>
| 5
| Loosky, Locksky
|-
|  
| 
| Wopla
| 20,000<ref name=computerworld/>
| 0.6
| Pokier, Slogger, Cryptic
|-
| 2008 (around)
| 
| [[Asprox botnet|Asprox]]
| 15,000<ref>{{cite web |url=https://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/ |title=Botnet sics zombie soldiers on gimpy websites |publisher=The Register |date=2008-05-14 |access-date=23 April 2011 |archive-date=11 May 2011 |archive-url=https://web.archive.org/web/20110511105210/http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/ |url-status=live }}</ref>
|  
| Danmec, Hydraflux
|-
| <span style="display:none">0</span>
| 
| Spamthru
| 12,000<ref name=computerworld/>
| 0.35
| Spam-DComServ, Covesmer, Xmiler
|-
| 2008 (around)
| 
| [[Gumblar]]
| 
| 
| 
|-
| 2009 (May)
| [[BredoLab botnet#Dismantling and aftermath|November 2010 (not complete)]]
| [[BredoLab botnet|BredoLab]]
| 30,000,000<ref>{{cite web |url=http://www2.canada.com/topics/technology/story.html?id=3333655 |title=Infosecurity (UK) - BredoLab downed botnet linked with Spamit.com |publisher=.canada.com |access-date=10 November 2011 |url-status=dead |archive-url=https://web.archive.org/web/20110511115226/http://www2.canada.com/topics/technology/story.html?id=3333655 |archive-date=11 May 2011}}</ref>
| 3.6
| Oficla
|-
| 2009 (Around)
| 2012-07-19
| [[Grum botnet|Grum]]
| 560,000<ref>{{cite web |url=https://www.zdnet.com/blog/security/research-small-diy-botnets-prevalent-in-enterprise-networks/4485 |title=Research: Small DIY botnets prevalent in enterprise networks |publisher=ZDNet |access-date=30 July 2010 |archive-date=11 May 2011 |archive-url=https://web.archive.org/web/20110511225747/http://www.zdnet.com/blog/security/research-small-diy-botnets-prevalent-in-enterprise-networks/4485 |url-status=dead }}</ref>
| 39.9
| Tedroo
|-
|  
| 
| [[Mega-D botnet|Mega-D]]
| 509,000<ref name="CyberCrime-20101202">{{cite web|last=Warner|first=Gary|url=http://garwarner.blogspot.com/2010/12/oleg-nikolaenko-mega-d-botmaster-to.html|title=Oleg Nikolaenko, Mega-D Botmaster to Stand Trial|publisher=CyberCrime & Doing Time|date=2010-12-02|access-date=6 December 2010|archive-date=7 January 2016|archive-url=https://web.archive.org/web/20160107115223/http://garwarner.blogspot.com/2010/12/oleg-nikolaenko-mega-d-botmaster-to.html|url-status=live}}</ref>
| 10
| Ozdok
|-
| 2009 (August)
| 
| [[Festi botnet|Festi]]
| 250,000<ref name="Kirk">{{cite web|url=http://www.pcworld.com/article/260984/spamhaus_declares_grum_botnet_dead_but_festi_surges.html|title=Spamhaus Declares Grum Botnet Dead, but Festi Surges|last=Kirk|first=Jeremy|date=16 August 2012|work=[[PC World]]|access-date=11 March 2016|archive-date=1 July 2015|archive-url=https://web.archive.org/web/20150701141103/http://www.pcworld.com/article/260984/spamhaus_declares_grum_botnet_dead_but_festi_surges.html|url-status=live}}</ref>
| 2.25
| Spamnost
|-
| 2010 (March)
| 
| [[Vulcanbot]]
| 
| 
| 
|-
| 2010 (around)
| 
| [[TDL4 botnet|TDL4]]
| 4,500,000<ref>{{cite web |url=http://infoaleph.wordpress.com/2011/07/03/como-detectar-y-borrar-el-rootkit-tdl4-tdssalureon/ |title=Cómo detectar y borrar el rootkit TDL4 (TDSS/Alureon) |publisher=kasperskytienda.es |date=2011-07-03 |access-date=11 July 2011 |archive-date=14 March 2016 |archive-url=https://web.archive.org/web/20160314122040/https://infoaleph.wordpress.com/2011/07/03/como-detectar-y-borrar-el-rootkit-tdl4-tdssalureon/ |url-status=live }}</ref>
|  
| TDSS, Alureon
|-
|
| 
| [[Zeus (Trojan horse)|Zeus]]
| 3,600,000 (US only)<ref>{{cite web |url=https://www.networkworld.com/article/766003/security-america-s-10-most-wanted-botnets.html |title=America's 10 most wanted botnets |publisher=Networkworld.com |date=2009-07-22 |access-date=10 November 2011 |archive-date=22 June 2024 |archive-url=https://web.archive.org/web/20240622185939/https://www.networkworld.com/article/766003/security-america-s-10-most-wanted-botnets.html |url-status=live }}</ref>
|  
| Zbot, PRG, Wsnpoem, Gorhax, Kneber
|-
| 2010
| (Several: 2011, 2012)
| [[Kelihos botnet|Kelihos]]
| 300,000+
| 4
| Hlux
|-
| 2011 or earlier
| 2015-02
| [[Ramnit]]
| 3,000,000<ref name="phys.org">{{Cite web|url=https://phys.org/news/2015-02-eu-police-malicious-network.html|title=EU police operation takes down malicious computer network|website=phys.org|access-date=7 October 2019|archive-date=7 October 2019|archive-url=https://web.archive.org/web/20191007201920/https://phys.org/news/2015-02-eu-police-malicious-network.html|url-status=live}}</ref>
| 
|
|-
| 2012 (Around)
|
| [[Chameleon botnet|Chameleon]]
| 120,000<ref>{{cite web |url=http://www.spider.io/blog/2013/03/chameleon-botnet/ |title=Discovered: Botnet Costing Display Advertisers over Six Million Dollars per Month |publisher=Spider.io |date=2013-03-19 |access-date=21 March 2013 |archive-date=9 July 2017 |archive-url=https://web.archive.org/web/20170709195420/http://www.spider.io/blog/2013/03/chameleon-botnet |url-status=live }}</ref>
|  
| None
|-
|2014
|
|[[Necurs botnet|Necurs]]
|6,000,000
|
|
|-| 2013
|2016 (August)
|
|[[Mirai (malware)|Mirai]]
|380,000
|
|None
|-
|2022
|
|Mantis<ref>{{Cite web |title=This tiny botnet is launching the most powerful DDoS attacks yet |url=https://www.zdnet.com/article/this-tiny-botnet-is-launching-the-most-powerful-ddos-attacks-yet/ |access-date=2022-07-31 |website=ZDNet |language=en |archive-date=31 July 2022 |archive-url=https://web.archive.org/web/20220731225923/https://www.zdnet.com/article/this-tiny-botnet-is-launching-the-most-powerful-ddos-attacks-yet/ |url-status=live }}</ref>
|5000
|
|
|}
*Researchers at the University of California, Santa Barbara took control of a botnet that was six times smaller than expected. In some countries, it is common that users change their IP address a few times in one day. Estimating the size of the botnet by the number of IP addresses is often used by researchers, possibly leading to inaccurate assessments.<ref>{{cite web |last=Espiner |first=Tom |url=https://www.zdnet.com/article/botnet-size-may-be-exaggerated-says-enisa/ |title=Botnet size may be exaggerated, says Enisa &#124; Security Threats |publisher=Zdnet.com |date=2011-03-08 |access-date=10 November 2011 |archive-date=23 October 2012 |archive-url=https://web.archive.org/web/20121023074646/http://www.zdnet.com/botnet-size-may-be-exaggerated-says-enisa-3040092062/ |url-status=live }}</ref>

==See also==
* [[Computer security]]
* [[Computer worm]]
* [[Spambot]]
* [[Timeline of computer viruses and worms]]
* [[Advanced Persistent Threat]]
* [[Volunteer computing]]

==References==
{{Reflist|30em}}

==External links==
* {{usurped|1=[https://web.archive.org/web/20190930030243/http://www.honeynet.org/papers/bots/ The Honeynet Project & Research Alliance]}} – "Know your Enemy: Tracking Botnets"
* [http://www.shadowserver.org/ The Shadowserver Foundation] – an all-volunteer security watchdog group that gathers, tracks, and reports on malware, botnet activity, and electronic fraud
* [http://www.eweek.com/c/a/Security/Is-the-Botnet-Battle-Already-Lost/ EWeek.com – "Is the Botnet Battle Already Lost?"]
* [https://www.fbi.gov/news/stories/2014/january/spyeye-malware-mastermind-pleads-guilty Botnet Bust – "SpyEye Malware Mastermind Pleads Guilty"], [[FBI]]

{{Information security}}
{{Botnets}}
{{malware}}

[[Category:Botnets| ]]
[[Category:Command and control]]
[[Category:Internet security]]
[[Category:Spamming]]
[[Category:Distributed computing]]
[[Category:Cyberwarfare]]
[[Category:Security breaches]]
[[Category:Internet bots]]