What Is a Botnet? A Complete Deep Dive

`A **botnet** (short for “robot network”) is a collection of internet-connected devices that have been infected with malware and are remotely controlled by a single entity — the **botmaster** or **bot herder** — without the legitimate owners’ knowledge.


Each compromised device is called a **bot**, **zombie**, or **drone**. Modern botnets can include:
- Home/office PCs
- Servers
- IoT devices (cameras, routers, smart TVs, fridges, light bulbs)
- Mobile phones
- Cloud/virtual private servers rented with stolen credit cards


Botnets are the Swiss Army knife of cybercrime: they are used for DDoS attacks, spam, click fraud, crypto mining, credential stuffing, proxy services, and data theft.


#### Size of Modern Botnets (2023–2025)
| Botnet            | Peak Known Size       | Primary Use                  | Still Active? |
|-------------------|-----------------------|------------------------------|---------------|
| Mirai (2016–now)  (come back next week for a deep dive)| >1 million devices    | IoT DDoS                     | Yes (variants) |
| 3ve (pronounced “Eve”) | ~1.7 million IPs     | Click fraud & ad fraud       | Dismantled 2018 |
| Methbot           | Hundreds of thousands | Video ad fraud               | Dismantled 2017 |
| Necurs            | ~6–9 million PCs      | Spam, banking trojans        | Disrupted 2020 |
| Emotet            | Millions              | Malware dropper & banking   | Disrupted 2021, back 2024 |
| Meris (2021–2023) | ~250,000 routers      | Record-breaking DDoS (2021–22) | Partially active |
| Mēris variant (2024–25) | >500,000 MikroTik routers | 3–4 Tbps attacks            | Very active |
| ZeroBot / Kasha   | Tens of thousands Go-based IoT | New 2024–25 wave            | Active |


How a Device Becomes Part of a Botnet (Infection Vectors)
1. **Brute-force or default credentials**
   Most common with IoT (admin/admin, root/12345, etc.).
2. **Exploiting unpatched vulnerabilities**
   Example: CVE-2018-10561 (DASAN routers), CVE-2021-35394 (Realtek), CVE-2023-1389 (TP-Link), Log4Shell in servers.
3. **Drive-by downloads & malvertising**
   Visiting a compromised website infects Windows/Android.
4. **Email phishing attachments or malicious links**
   Classic for PCs (Emotet, Qakbot, TrickBot).
5. **Worm-like self-propagation**
   Mirai and its descendants scan the entire IPv4 internet in minutes looking for telnet/SSH ports.
6. **Supply-chain attacks**
   Example: 2024–2025 attacks on popular WordPress plugins or router firmware updates.

Botnet Architecture: How They Are Controlled
1. **Centralized (IRC or HTTP C²)** – Old school
   All bots phone home to one or a few command-and-control (C²) servers. Easy to disrupt (take down the server → botnet dies). Used by early Zeus, Conficker, etc.


2. **Peer-to-Peer (P2P)**
   Bots form a mesh; commands propagate peer-to-peer. Much harder to kill (no single point of failure). GameOver Zeus and ZeroAccess used this.


3. **Domain Generation Algorithms (DGA)**
   Bots generate thousands of pseudo-random domain names every day and try to contact them until one resolves to the real C². Used by Conficker, Kraken, and modern banking trojans.


4. **Fast-Flux + Double-Flux**
   DNS records change every few minutes; hundreds of compromised hosts serve as proxies.


5. **Modern Hybrid (2023–2025 trend)**
   - Primary C² over Tor hidden services or Telegram channels
   - Telegram bots used as dead-drop resolvers
   - DNS over HTTPS (DoH) or blockchain-based C² (some experimental botnets)

What Botnets Actually Do Once Built
1. **DDoS attacks** (the #1 use in 2025)
   Layer 3/4 floods, Layer 7 HTTP/S floods, reflection/amplification.
2. **Spam & phishing campaigns**
3. **Click fraud & ad fraud** (billions of dollars per year)
4. **Cryptojacking** (illicit crypto mining)
5. **Proxy services** (sell access to residential IPs on markets like Luminati/922 S5)
6. **Credential stuffing** (trying stolen username/password pairs on thousands of sites)
7. **Ransomware distribution**
8. **Data exfiltration**

The Economics (2025 prices on darknet markets)
- 1,000 bots (clean residential IPs) ≈ $80–$300
- 10,000 IoT bots for DDoS ≈ $300–$800 per week
- 1 Gbps sustained DDoS ≈ $50–$100 per day
- 100–500 Gbps “stresser/booter” package ≈ $500–$2,000 per month
- Full private botnet (100k+ devices) can be rented for $10,000+ per month

Notable Takedowns and Why Most Fail
- 2018: FBI + international partners seized 3ve and dismantled it (1.7 million IPs).
- 2020: Microsoft + partners killed Necurs (9 million PCs).
- 2021: Europol/ FBI seized Emotet infrastructure.
- 2023–2024: Qakbot takedown (700,000+ machines disinfected).


Most takedowns only work temporarily because source code leaks, new authors fork the malware, and bulletproof hosting in non-cooperative countries keeps C² alive.


How to Tell If Your Device Is Part of a Botnet
- Unexplained high outbound traffic (especially UDP 123, 1900, 53, 80/443)
- CPU/GPU at 100 % with unknown processes
- Strange DNS queries or connections to odd IPs
- Router admin page shows unknown port forwards or UPnP openings
- Your IP appears on abuse blacklists (AbuseIPDB, Spamhaus, etc.)


Prevention Checklist (2025)
1. Change every default password (especially IoT and routers).
2. Disable telnet, UPnP, and remote administration if not needed.
3. Patch everything — routers included (many ISPs still ship 5+ year old firmware).
4. Segment IoT devices on a separate VLAN.
5. Use ISP-level DDoS protection or a reputable CDN/WAF.
6. Monitor outbound traffic for anomalies.


Botnets are the foundational infrastructure of almost all large-scale cybercrime today. The same network that knocks Cloudflare customers offline for 30 minutes in the morning might be mining Monero in the afternoon and sending spam at night.


Understanding how they are built, controlled, and monetized is the first step to staying off them — and keeping your bandwidth to yourself.