Botnets and Their Types

Reading Time: 6 minutes

We constantly use the internet to run our lives and the digital devices we depend on. Along with our connection to the internet comes our connection to the side-effects of the internet like viruses, spams, criminal hackers, and online fraud. The amount of phishing sites, malicious emails, destructive viruses, etc. has increased not just in the U.S. but globally. Of the various threats that individuals and businesses are facing these days through the internet, the botnet is the most prevalent. A botnet is a network of computers that are remotely controlled by hackers.

Botnets are used by criminal hackers to spread ransomware to your laptop, phone, tablet, computer, etc. They can be undetectable so you may not even know if your device is part of a botnet.

What is a Botnet?

The word ‘botnet’ is a combination of two words, ‘robot’ and ‘network.’ Here, a cybercriminal who performs the role of a botmaster uses Trojan viruses to breach the security of several computers and connect them into a network for malicious purposes. Each computer on the network acts as a ‘bot’ and is controlled by a scammer to transmit malware or spam or malicious content in order to launch the attack. A botnet is also known as a Zombie Army as the computers involved are being controlled by someone other than their owner.

The origin of botnets was mainly to serve as a tool in internet relay chat (IRC) channels. Eventually, spammers exploited the vulnerabilities present in IRC networks and developed bots. This was intentionally done to perform malicious activities such as keystroke logging, password theft, etc. [6]

Botnet Structure

The structure of the botnet usually takes one of two forms: Client-server model or Peer-to-peer model.

Client-server model

In the client-server botnet structure, a basic network is established with one server acting as a botmaster. The botmaster controls the transmission of information from each client to establish command and control (C&C) of the client devices. The client-server model works with the help of special software and allows the botmaster to maintain control. This model has a few drawbacks such as it can be located easily and has only one control point. In this model, if the server is destroyed, the botnet perishes.


To overcome the drawback of relying on one centralized server, botnets have evolved. New botnets are interconnected in the form of peer-to-peer structure. In the P2P botnet model, each connected device works independently as a client and a server, coordinating among each other to update and transmit information between them. The P2P botnet structure is stronger because of the absence of a single centralized control.

Types of Botnet Attacks

Distributed Denial of Operations Service:

A botnet can be used for a distributed denial of operations service (DDoS) attack to destroy the network connectivity and services. This is done by overburdening the computational resources or by consuming the bandwidth of the victim. The most commonly implemented attacks are TCP SYN and UDP flood attacks. DDoS attacks are not limited only to the web servers but can be targeted to any service connected to the internet. The severity of the attack can be increased by using recursive HTTP-floods on the victim’s website which means that the bots follow all the links on the HTTP link in a recursive way. This form is called spidering which is practiced to increase the load effectively.

One of the biggest DDoS botnet attacks of the year was  IoT-related and used the Mirai botnet virus. The virus targeted and controlled tens of thousands of less protected internet devices and turned them into bots to launch a DDoS attack. Mirai spawned many derivatives and continued to expand, making the attack more complex. It changed the threat landscape forever in terms of the techniques used. [1]

Spamming and Traffic Monitoring:

A bot can be used as a sniffer to identify the presence of sensitive data in the infected machines or zombies. It can also locate competitor botnets if installed in the same machine and can be hijacked by the commander. Some bots may offer to open a SOCKS v4/v5 proxy (generic proxy protocol for TCP /IP based network). When the SOCKS proxy is enabled on a compromised machine, it can be used for various purposes like spamming. Bots use a packet sniffer to watch for the information or data been passed by the compromised machine. The sniffer can retrieve sensitive information such as a username and password.

Grum is the type of spam which is hard to detect as it infects files used by Autorun registries. This botnet has attracted the researches as it is relatively small with only 600,000 members but accounts for 40 billion spam-emails per day which is approximately 25% of the total spam emails. [2]


With the help of keylogger, it becomes easy for a botmaster to retrieve sensitive information and steal data. Using a keylogger program, an attacker can gather only the keys typed that come in the sequence of interesting words like PayPal, Yahoo, etc.

A kind of spyware identified as OSX/XSLCmd ported from Windows to OS X includes keylogging and screen capture capabilities. [3]

Mass Identity Theft:

Different kinds of bots can be mixed to perform large-scale identity theft which is one of the fastest growing crimes. [7] Spam emails are sent by bots to direct the traffic towards fake websites representing bots to harvest personal data. Bots can be used to appear as a legitimate company and ask the user to submit personal details like bank account password, credit card details, taxation details, etc. Mass identity theft can be performed using phishing emails that trick victims into entering login credentials on websites like eBay, Amazon, or even their banks.

Pay-per-click abuse:

Google’s AdSense program allows websites to display Google advertisements and thereby earn money from them. Google pays money to the website owners on the basis of the number of clicks their advertisements gather. Compromised machines are used to automatically click on a site, inflating the number of clicks sent to the company with the ad.

Botnet spread:

Botnets are also used to spread other botnets by convincing the user to download the specific program and the program is executed through email, HTTP, or FTP.  It is a good idea to spread an email virus using this botnet. Two security researchers in the month of January 2017, discovered ‘Star Wars’ Twitter botnet that comprises of 350,000 bot accounts which tweeted random quotes from the movie franchise. Such bots if continuing to exist may create fake trending topics to sway public opinion, send unsolicited spam, launch cyber attacks and more. [5]


Adware is used to attract users by advertising on web pages or apps. They appear on machines without the knowledge or permission of the users with original ads being replaced by fraudulent adware which infects the system of any users who click on it.

Adware looks like harmless ads but uses spyware to collect browser data.In order to get rid of adware, anti-adware is required. Though there are many free and paid versions of anti-adware available, it is best to opt for a licensed one. Many virus scanning packages also come with anti-malware software.

Botnets can be expelled from or stopped from entering our machines using anti-malware which can spot infections on the hard disk or network traffic and treat them immediately. On the other hand, the most effective approach would be attaining a full-fledged education on how to fight botnets.

EC-Council is the world’s leading cybersecurity credentialing body, with a wide range of cyber security certifications on various programs. The Certified Ethical Hacking (C|EH) is a flagship program of EC-Council that helps you learn ethical hacking online. For more details, visit





get certified from ec-council
Write for Us