Botnets: The clone army of cybercrime

Botnets are among the biggest internet threats of the 21st century, and everything from laptops and routers to DVRs and security cameras are at risk of becoming cogs in the larger botnet wheel. Businesses are losing customers and millions of dollars in revenue thanks to botnets that control zombies and launch massive ransomware and phishing attacks, and drive distributed denial of service (DDoS) attacks. Cyren disrupts these modern clone armies of cybercrime with its email security and web security gateway services.

Botnets 101

A botnet is a network of internet-connected computers – or bots – each infected with the same or different types of malware specific to the botnet’s operations. These bots have the ability to ‘talk’ directly to the command and control (C&C) server, and sometimes to each other, to carry out the commands of their botmaster.

Botnets communicate in two primary ways

Direct command and control (C&C) botnets

The bot communicates directly with a server or group of distributed servers (the C&C) to get missions and to report its status.

Peer-to-peer (P2P) botnets

A decentralized network of bots for added protection against takedowns. P2P botnets may include a C&C server, but may also be designed with a specific random structure to further obfuscate the botnet and its purpose.

Stay up to date with the latest in cybersecurity from Cyren

Botnets: The Clone Armies of Cybercrime

Download threat report

Botnets: The Clone Armies of Cybercrime

Watch on-demand webinar

Interview with a Botnet Hunter

Read blog post

Botnet anatomy


The botnet's operator.

Command &
Control (C & C)

The centralized computer that issues commands to and receives information back from the bots.


A device connected to the botnet. Most often a computer, smart phone, tablet, or Internet of Things device. Receives operational instructions from a C&C server, from the botmaster, or sometimes from other bots within the network.

Peer to Peer (P2P)

A decentralized network of bots for added protection against takedowns. Can include a C&C server, but may also operate without one. Usually structured randomly to further obfuscate the botnet and its purpose.


Another name for a bot. A botnet is also known as a “zombie army.”

How a C&C botnet distributes malware

#1 A botmaster develops a botnet by distributing bot malware to infect PCs or other devices. He may also rent an existing botnet from another criminal.

#2 The newly harvested bots or "zombies" report in to the botnet's command and control (C&C).

#3 The C&C now controls these bots and issues instructions for the bot to distribute executable malware files, as well as the email templates and potential victim address lists.

#4 The infected zombie bots receive the orders, each sending email messages carrying the malware payload to thousands of potential victims.

A growing threat: Internet of things botnets

  • Criminals have been known to recruit MILLIONS of “smart” devices like DVRs and cameras to form a botnet.
  • Source code from two botnet malware families—Mirai and Bashlight—exploited weaknesses in the IOT device’s telnet remote connection protocol.
  • In October 2016, a Mirai-based IoT botnet brought down dozens of major websites like Twitter, CNN, and Netflix.
  • In October 2017 the “Reaper” botnet is discovered, with suggestions that the botnet has infected anywhere from 10,000 to 1 million IOT devices.
  • IOT devices often lack even the most basic security programming. Cleaning an infected device may require a reboot or password reset.

E.T. phone home: Legitimate botnets

Although the term ‘botnet’ is generally associated with cybercrime, there are legitimate botnets–also known as distributed computing systems. Botnets are nothing more than a group of Internet-connected devices each installed with software that enables collective performance of a function generated by someone controlling the system. By spreading the computing power across multiple platforms, tasks can be accomplished more efficiently and at less cost.

Perhaps the most famous distributed computing project is SETI@home, which employs the unused CPU and GPU cycles on a network of volunteer computers to analyze radio signals captured by the Arecibo radio telescope to search for possible evidence of extraterrestrial intelligence. Other well known distributed computing projects support climate modeling and prediction, astrophysics, stock market prediction, molecular biology, and mathematics.

Block the botnet. Cyren's Cyberthreat Report

The 15-minute botnet

With only a few hundred dollars and an Internet connection, anyone can run a botnet. After the initial outlay of cash, a criminal botmaster can quickly realize a significant return on investment through botnet malware distribution, spam, phishing, and even DDoS attacks.

  1. Locate online botnet build kit with simple keyword search.
  2. Purchase the kit.
  3. Build the kit on your own or with help from online vendors, tools, or sponsors.
  4. Set up the server.
  5. Assemble the payload/malware.
  6. Deliver the malware with the operational botnet.
  1. Locate a botnet-for-sale on the dark web.
  2. A botnet with 100,000 infected computers is available for $7,500 payable in bitcoins.
  3. Generate an estimated 1 terabit per second worth of DDoS, malware, and spam traffic.
  1. Locate stressers/booters service online to obtain DDoS capabilities.
  2. With a software as a service (SaaS) subscription model, the average denial of service package may cost $0.66 per day or $19.99 per month. Deluxe packages cost $34.99 per month.
  3. Deliver payload using rented botnet.

Did you know...

What Botnets Are Used For:

  • Distributed Denial-of-Service (DDoS) Attacks
  • Sending Spam and Phishing Emails
  • Online Polls and Social Media Manipulation
  • Click Fraud
  • Eavesdropping or Surveillance (sometimes called "Sniffing")
  • Event Ticketing Fraud

Botnet growth via malware distribution

Botnets distribute a variety of malware, such as banking malware or ransomware. To create, expand, and maintain botnets, malware must be constantly installed on new computers. The graph below shows the huge numbers of Locky ransomware emails sent out by bots in 2016 as tracked by Cyren—and also the breaks where the botnet was silent.

Lessons learned from the Necurs botnet

In an analysis of the Necurs botnet, Cyren researchers found that during the first 24 hours, the bot malware installed itself, found a C&C server, updated its software, and distributed spam and Locky ransomware. Three key things stand out:

#1 The bot is exceptionally persistent about finding a C&C, trying thousands of different options.

#2 This two-year old malware eventually managed to locate a working C&C. The C&C quickly updated the malware, proving the resiliency of the underlying threat.

#3 The bot was inactive for long periods, likely because: (a) a longer wait might prevent detection by automated sandboxes; (b) inactivity reduces resource usage on the infected PC; or (c) the bot has a specific target audience for the spam/malware campaigns.

Did you know...

Botnets can obscure communications using:

  • Tor-based botnets
  • Internet Relay Chat (IRC) botnets
  • Domain generation algorithm (DGA)
  • Encryption/complex protocols
  • Social media
  • Hidden communications inside legitimate services
  • Steganography

How to block the bot

Cyren Email Security
  • Outbound protection blocks botnet-infected devices from sending malware or spam from your domain.
  • Blocks delivery of sophisticated, large-scale email attacks on a global basis, as attacks happen in real time.
  • Policy-based encryption of email traffic for senders and recipients.
Cyren Web Security
  • Blocks outbound botnet calls to “command-and-control” servers.
  • Continuously monitors and blocks access to known and unknown botnet sites, malicious URLs, malware, APTs and zero-day attacks.
  • Finds hidden threats in encrypted SSL traffic.
  • Blocks identified threats cloud-wide in seconds.