Online bot activity remains a prevalent concern among network security professionals. By themselves, it’s difficult for individual bots to do large-scale damage against a given target. But what happens when these individual bots join forces?

That's exactly what occurs in a botnet. Short for "robot network," botnets are collections of internet-facing devices, each running one or more bots. Their scale allows cybercriminals to execute sophisticated attacks that swamp targeted networks with traffic or to carry out other malicious activity.

As the number of internet-connected devices grows, so does the pervasiveness of botnets. In fact, the prevalence of bot attacks nearly doubled throughout 2023, according to one recent study. In late May, the U.S. Department of Justice announced that it had dismantled the “911 S5” botnet, following some eight years of activity spanning 19 million unique IP addresses across 200 countries, which yielded a $5.9 billion fraudulent haul.

Let’s take a closer look at botnets, how they have changed over the years, how cybercriminals use them today, and how administrators can protect their networks against this escalating threat.

The Evolution of Botnets

The concept of botnets has its roots in the early 2000s, with the appearance of the “EarthLink Spammer,” widely regarded as the first botnet. It was primarily used to execute mass-scale spam email campaigns. Since then, botnets have evolved significantly.

One major milestone came in 2007, when the first decentralized botnet emerged, known as "Storm." Unlike earlier counterparts that were relatively simple, Storm leveraged peer-to-peer (P2P) communication to control its network of infected devices rather than a single Command and Control (C2) server. This made the malicious actors far more difficult to track, significantly boosting the dark web's botnet market.

Among the more recent developments in botnet evolution is the emergence of botnets targeting IoT devices. These include security cameras, smart TVs, printers, and connected appliances. IoT devices, even the most modern ones, often have relatively weak security, which makes it easy to “recruit” them into botnets behind the scenes. Tackling this threat will be a major challenge for product manufacturers and the cybersecurity community in the coming years.

Threat actors have also begun using AI and ML to optimize their armies of “zombie devices,” which significantly improves their efficiency and effectiveness in carrying out attacks.

How and Why Cybercriminals Use Botnets

Botnets provide cybercriminals with a powerful and scalable means of conducting malicious activities. They can be extremely difficult to detect, and many systems aren’t equipped to handle the sheer scale and complexity of modern botnets.

Before they can do any damage, however, attackers first need to infect as many devices as possible. This is accomplished through various methods, the most popular of which is likely social engineering, which in this case involves tricking individuals into downloading botnet malware, either through phishing or by disguising it as legitimate download links. This was the case with the above-mentioned 911 S5, which people unwittingly installed as part of seemingly legitimate VPN software packages.

The other common infection method is through outdated software. Devices running on old firmware are vulnerable to botnet infections. This is particularly common with IoT devices whose firmware statuses are often overlooked due to the sheer volume of entities that need configuration and updating.

Once cybercriminals have a sizable botnet, they can use it to execute various types of attacks. The most widely encountered incursion vector at this point is Distributed Denial of Service (DDoS). In a DDoS attack, the botnet floods a target’s servers with an overwhelming amount of traffic, causing it to crash or perform poorly. In late July, Microsoft Azure was hit with a DDoS attack that led to hours-long disruptions worldwide.

But botnets can also be used for more "direct" foul play, including password-related attacks like credential stuffing and brute force attacks or even data exfiltration. These botnet techniques are more recent, so let's examine them in a bit more detail.

Modern Botnet Attack Techniques

Botnet-powered credential stuffing utilizes machine learning to analyze password databases at scale. Attackers can feed these databases, which are readily available on the dark web, to the botnet, allowing it to sift through hundreds of millions or even billions of entries.

By using ML algorithms, the botnet can identify the most common passwords and prioritize them during brute-force attacks. This minimizes the noise associated with brute-force attacks and significantly increases the success rate.

When it comes to data exfiltration, botnets have also started to incorporate more advanced techniques that make data theft and extraction both stealthier and more efficient. Modern botnets can be programmed to infiltrate networks, locate valuable data, and exfiltrate it without triggering security alerts.

With the integration of machine learning, botnets can also be instructed to automatically search for specific types of data, such as credit card numbers or personally identifiable information (PII). To avoid detection, botnets often break the stolen data into smaller packets and transmit them slowly over time or via encrypted channels.

Strategies for Dealing with Today’s Botnets

The success of botnet attacks largely depends on the cyber resilience of the target. While highly sophisticated hackers may infiltrate even the most guarded systems, a cyber raid is more likely to succeed against targets with weak or outdated security measures.

However, to achieve even a basic level of resilience against today’s botnets, there are a few areas you need to cover.

Staying a Step Ahead

Botnets have evolved significantly over the years and will continue to do so in lockstep with other technologies. We’re already seeing the impacts of AI and ML incorporation into botnet attacks, making them more efficient and difficult to detect. To stay ahead of this growing scourge, network security teams must prioritize measures that proactively thwart infections and minimize breach response times.