Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

What is the 15-Minute Botnet?

Becoming an Internet criminal is getting easier and easier. With only a few hundred dollars in hand and an Internet connection, anyone can obtain the software and support to build a botnet. After the initial outlay of cash, a criminal botmaster can quickly gain a significant return on investment through malware distribution, spam, phishing, and even DDoS attacks.

Because the software required to launch a proper botnet is complex and time-consuming to develop, entrepreneurial criminals with a talent for coding are cashing in on botnet purchase and rental schemes by developing the software and then selling it or even leasing use of it — think AWS for the criminally-inclined.

What is a botnet?

A botnet is a set of hijacked Internet-connected devices. Each of these devices is then injected with malware, which is used to control it from a remote location. Due to this distanced control, the device’s rightful owner typically has no knowledge of their device being used. From the viewpoint of these hackers, botnet devices are resources used for malicious purposes. Most commonly they are used for spam or DDoS attacks.

Individual botnet devices can be compromised simultaneously by multiple perpetrators. Each of these devices uses it for a different type of attack and sometimes even at the same time. A malware-infected personal computer, for example, can be ordered to access a website as part of a larger DDoS attack. It could also perform vulnerability scans at the same time, while its owner browsing the web. The owners are almost always unaware of both occurrences.

What is a DDoS attack?

DDoS means distributed denial of service. A DDoS attack is a malicious attack that makes servers or a network resource unavailable to their users. This occurs when a service is saturated, resulting in its temporary suspension or interruption. A DDoS attack differs from a DoS attack (Denial of Service) because it utilizes multiple connected devices. The attack is then often executed by botnets or individuals.

DDoS attacks are typically divided into two categories:

  • Application layer DDoS attacks: These attacks can include HTTP floods, slow attacks (Slowloris, RUDY), and those targeting vulnerabilities in operation systems, communication protocols, zero-day assaults, and web applications.
  • Network layer DDoS attacks: These attacks can include SYN floods, NTP amplification, UDP floods, DNS amplification, IP fragmentation, SSDP amplification, and more.

What are botnet booter services?

Botnet booters, also known as booter services, are on-demand DDoS (Distributed-Denial-of-Service) attack services offered by enterprising criminals in order to bring down websites and networks. In other words, booters are the illegitimate use of IP stressers. Botnet booters are packaged as SaaS (Software-as-a-Service). This can be marketed as email support or YouTube tutorials. These packages may offer one-time service, multiple service attacks within a limited time period, or even unlimited access.


phishing and fraud url intelligence

Learn more about “industry” trends, and how phishing kits work.

Watch the Webinar


Mastering Your Own Botnet

For criminals concerned about time-to-market, a basic botnet can be constructed in approximately 15 to 20 minutes. Once the criminal has decided the purpose of the botnet, and determined what key components are needed, online vendors, tools, and even sponsors are ready and available to help with the construction. Botnet builder kits are available for purchase online and a keyword search can get you to the right website in under five minutes. Once the botnet kit is purchased and made ready, the criminal simply needs to determine the payload, which is usually available in the chosen kit. Set-up of the C&C server is simple using a web host or online cloud service provider.

Cyren researchers examined the steps involved to set up a Zeus Botnet based on freely available software. There are two major steps that must be taken before the malware can be distributed: Setting up the server and assembling the malware.

zeus install.jpg

Simply clicking ‘Install’ sets the Zeus botnet process in motion.

zeus install 2.jpg

Zeus botnet install on Linux server.

1. Setting Up the Server

To set up the server, the wannabe botnet owner would install the Zeus Management Panel on a Linux server with an Apache Web server and other components. Once the Linux environment is set up, the Zeus software is simply copied over from a zip file. After a few permission changes, the setup process can be activated from any Web browser.

With the installation complete, the Zeus control panel can now be accessed from any Web browser.

2. Assembling the Malware

The next step is assembling the Zeus malware. Naturally, the malware has to be adapted to the newly created management server or C&C. In this instance, the soon-to-be bot owner is in luck because the creator of the Zeus Management Panel has streamlined the process to make it relatively easy.

zeus build malware.jpg

Zeus bot configuration and executable builder.

To assemble the Zeus malware, the botnet owner must first:

  • Set up configuration data which includes all the details of the server.
  • Build the bot configuration using the provided details and using a JPG image. The bot configuration data is embedded into the JPG using steganography (see p. 20).

The result is a bot configuration file and encrypted configuration inside a JPG image. Then the bot owner:

  • Builds the bot executable file from these components.
  • Saves the bot executable with a filename that will match the distribution campaign, for example “invoice.exe”.

For the aspiring “bot businessperson”, the more challenging part of the setup is the distribution. As mentioned in the Botnet 101 article on p. 3, this can be performed using another existing botnet. For example, the executable file can be distributed as zipped email attachments. A look at the panel after the first victim is infected shows the new bot is now available for commanding.

zeus operating.jpg

Zeus control panel with 1st bot connected.

Renting a Botnet: Low Prices & Great Locations

Renting a botnet is also an option. For as little as pennies a day through a PayPal account, any novice or experienced cybercriminal can rent a botnet. Stressers and botnet booters, as they are known in the cybercrime world, are online services offered by cybercriminals to provide customers with DDoS capabilities, usually for a nominal fee. By utilizing the software as a service (SaaS) subscription model, the average denial of service package might only cost an aspiring cybercriminal $0.66 per day or $19.99/month. Deluxe packages cost $34.99 month….

Botnet Attack Success Requires Planning

More serious botnet entrepreneurs will begin with a business plan that outlines their target victims and forecasts revenues and costs. Security analysts estimate that, if done right, botnets can garner criminals from hundreds of thousands to millions of dollars a year. It’s also important to consider that most serious botmasters manage more than one botnet. Botnet operators may also vary their campaigns and payloads by targeting different groups of victims, who specialize in certain niches, as in any industry.

Final Thoughts

The keey takeaway is to understand that botnet and malware developer tools are exceptionally easy and cheap to procure on the Internet, even for the most unsophisticated users. With only a beginner’s knowledge, criminals can leverage basic point-and-click build-your-own botnet kits and begin stealing money and data with minimal effort.

To get further up to speed on everything botnet, download Cyren’s free special threat report on botnets ,or learn more about our botnet protection services.


phishing and fraud url intelligence

Discover a behind the scenes look at phishing kits.

Watch the Webinar

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...