Citizendium - a community developing a quality comprehensive compendium of knowledge, online and free. Click here to join and contribute—free
CZ thanks AUGUST 2014 donors; special to Darren Duncan. SEPTEMBER 2014 donations open; need minimum total $100. Let's exceed that. Donate here. Treasurer's Financial Report -- Thanks to August content contributors. --


From Citizendium, the Citizens' Compendium

Jump to: navigation, search
This article is a stub and thus not approved.
Main Article
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
This editable Main Article is under development and not meant to be cited; by editing it you can help to improve it towards a future approved, citable version. These unapproved articles are subject to a disclaimer.

A botnet, from "robot network", is a set of compromised machines — called bots, droids, or usually zombies — which can collectively perform tasks for the bot herder.

The main applications of botnets are to perpetrate various sorts of net.evil, such as conducting distributed denial of service attacks and sending spam. With a large number of infected computers — the Storm botnet had millions [1] — a botnet can be an extremely powerful computing system with enormous communication bandwidth. While Storm's heyday was 2007-2009, it has been reported as having returned in 2010.[2]

Interesting analogies have been drawn between "white hat" cloud computing services and "black hat" botnets, both of which are means of dynamically combining resources.

Recruiting the victim machines

Machines may be taken over in a variety of ways. Trojan horse programs — most often in games or pornography — are used. Phishing has been used as an attack vector to recruit new zombies. [3]. Some viruses make the victim computer part of a botnet. A famous example was the Storm botnet [4], spread mainly by email messages. These methods can be combined; downloaded malware might scan the victim's address book and try to spread further via email or instant messaging.

Another method is to concentrate on attacking web servers, especially those for busy sites. If the attacker can subvert a web server, then he can plant malicious code there; that code will then automatically attempt to subvert every machine that visits the site. This is extremely good for the attacker; by breaking security on a single web site he can subvert large numbers of machines. Even better for the attacker, and worse for everyone else, sometimes a single host or group of hosts supports many web sites; if the attacker can plant a malware link in the global scripts on such a host then it affects all the sites. This seems to have been the technique in a 2010 attack that affected hundreds of Wordpress blogs.

Botnets can also be built by actively scanning for insecure machines. Any computer can be attacked in this way, but one target is common enough and often insecure enough to be the favorite. The attacker looks up the IP address ranges used for broadband Internet services; any machine he can compromise there will have a good enough net connection to be quite useful to him. Most are home machines, often not set up for secure operation and not protected by firewalls. He then scans those IP addresses looking for Windows machines that have not installed Microsoft's security updates and are therefore vulnerable to known attacks.


Basic computer hygiene can greatly reduce the risk of a home machine becoming part of a botnet. Simply doing Windows updates prevents many of the attacks used. A virus checker will detect and remove many botnet infections. Checking network settings to ensure that you are not allowing file shares to arbitrary people can block some attacks. Running firewall software to prevent your machine responding to arbitrary requests for connections can block others.

A cheap off-the-shelf router provides a hardware firewall between your machine and the net. This is better than a software firewall for blocking the attacks that scan for insecure machines. It also has other benefits such as allowing multiple machines to share a connection. Of course an attacker might scan for insecure routers but, since these are relatively simple single-purpose systems and much of the setup is done by professionals, the risk of attack is lower than for a desktop system connected directly to the net.

User attitudes and behaviour are important. Bad habits — such as routinely downloading software from sites you have no good reason to trust or following links in emails without carefully verifying the sender — are almost certain to bring infections sooner or later.

The International Telecommunication Union have a Botnet Mitigation Toolkit and the White House have announced an initiative [1] to fight them.


  1. Sharon Gaudin (September 6, 2007), Storm Worm Botnet More Powerful Than Top Supercomputers
  2. Ricardo Robielos III (26 April 2010), The come back of “Storm Worm”, CA Community
  3. Matthew Vea (07 March 2010), "A Short Look into a Phishing Email", Omninerd
  4. The Storm Worm, Bruce Schneier, 4 October 2007
Personal tools