The IT Law Wiki


A botnet (a contraction of the term "RoBOT NETwork") is

[a] network of remotely controlled systems used to coordinate attacks and distribute malware, spam, and phishing scams.[1]
[a] network[] of Internet-connected end-user computing devices infected with bot malware, which are remotely controlled by third parties for nefarious purposes. A botnet is under the control of a given "botherder" or "botmaster." A botnet might have just a handful of botted hosts, or millions.[2]
[a] collection[] of computers infected with malicious code that can be controlled remotely through a command and control infrastructure.[3]
[a] network[] of compromised computers that are remotely controlled by malicious agents. They are used to send massive quantities of spam e-mail messages, co-ordinate distributed denial-of-service attacks (DDOS) and facilitate financial and identity fraud, among other economically and socially harmful activities. They therefore represent a major problem for security and trust in online environments.[4]


Botnets are not necessarily malicious. The computer code botnets use also enables desirable communication across the Internet, such as the chat rooms that were popular in the 1990s. However, programmers have figured out how to exploit vulnerabilities in widely used Microsoft Windows operating platforms to degrade, destroy, and manipulate computer networks—often without the knowledge of the machine's owner or local operator. Because they are automated programs, when released, bots lurk on the Internet and take over computers, turning them into a network of 'zombies' that can be operated remotely. The majority of email spam is generated by botnets without the host computer's knowledge. In fact, owners are often not aware that their computers are part of a botnet, the only indication of which is sluggish response time.

A 2006 industry report indicated that nearly 12 million computers around the world were compromised by bots.[5] Researchers suggest an average of about 4 million new botnet infections occur every month.[6] Typically, users whose computers have been conscripted into a botnet are unaware that their computers have been compromised.

Hundreds or thousands of these infected computers can operate in concert to disrupt or block Internet traffic for targeted victims, harvest information, or to distribute spam, viruses, or other malicious code (called collectively "Botnet code"). The attack value of a botnet arises from the sheer number of computers that an attacker can control.

Botnets are becoming a major tool for cybercrime, partly because they can be designed to very effectively disrupt targeted computer systems in different ways, and because a malicious user, without possessing strong technical skills, can initiate these disruptive effects in cyberspace by simply renting botnet services from a cybercriminal. Botnets have been described as the “Swiss Army knives of the underground economy” because they are so versatile.[7]

"Key components of a large bot network includes, but not limited to:

How they work[]


Traditionally, botnets organized themselves in an hierarchical manner, with a central command and control (C&C) location (sometimes dynamic) for the botmaster. Intruders exploit security flaws in the hardware and/or software used by individual consumers, and they install malicious software that connects the consumer’s computer into a remotely controlled network of many computers.

Once compromised, the infected computers are instructed to communicate with the command and control server and follow whatever instructions are received. By relaying commands through the C&C, the bot herder is able to remotely control a vast network of compromised computers, and use those computers for a variety of nefarious purposes, including the sending of spam, the distribution of malicious software, click fraud, and denial of service attacks.[9]

However, in the near future, security experts believe that attackers may use new botnet architectures that are more sophisticated, and more difficult to detect and trace. One class of botnet architecture that is beginning to emerge uses peer-to-peer protocol, which, because of its decentralized control design, is expected to be more resistant to strategies for countering its disruptive effects. A well-designed peer-to-peer botnet may be nearly impossible to shut down as a whole because it may provide anonymity to the controller, who can appear as just another node in the bot network.

Some botnet owners reportedly rent their huge networks for US$200 to $300 an hour, and botnets are becoming the weapon of choice for fraud and extortion.[10] Newer methods are evolving for distributing “bot” software that may make it even more difficult in the future for law enforcement to identify and locate the originating botmaster.

Some studies show that authors of software for botnets are increasingly using modern, open-source techniques for software development, including the collaboration of multiple authors for the initial design, new releases to fix bugs in the malicious code, and development of software modules that make portions of the code reusable for newer versions of malicious software designed for different purposes. This increase in collaboration among hackers mirrors the professional code development techniques now used to create commercial software products, and is expected to make future botnets even more robust and reliable. This, in turn, is expected to help increase the demand for malware services in future years.[11]


Computers may be vulnerable to bots for a variety of reasons, including:

un-patched operating systems, software vulnerabilities (which include so-called zero-day vulnerabilities where no patch yet exists), weak/non-existent passwords, malicious websites, un-patched browsers, malware, vulnerable helper applications, inherently insecure protocols, protocols implemented without security features switched on and social engineering techniques to gain access to the user's computer."[12]

Criminal conduct[]

The rise of botnets has been recognized as the most serious security threat facing the Internet.[13] Among other harms, experts estimate that botnets are responsible for approximately 85% of spam sent worldwide.[14] Operating a botnet is illegal, and in many cases, punishable as a felony.[15]

Once compromised, the owners of these computers are put at risk. Criminals have the ability to access personal information stored on the computer and communications made with the computer. Criminals can exploit this information for identity theft, privacy violations, and other crimes, as well as utilize the impacted users’ computing power and Internet access. Networks of these compromised computers can be used to store and transfer illegal content, and attack the servers of government and private entities with distributed denial-of-service attacks.

Click fraud is another potential illegal use for a botnet.[16] Click fraud is a crime in many jurisdictions, including California, where it is a felony.[17]

An OECD report[18] identified the following as typical criminal uses of a botnet:

  1. Locate and infect other information systems with bot programmes (and other malware). This functionality in particular allows attackers to maintain and build their supply of new bots to enable them to undertake the functions below. . . .
  2. Conduct distributed denial of service attacks (DDoS).
  3. As a service that can be bought, sold or rented out.
  4. Rotate IP addresses under one or more domain names for the purpose of increasing the longevity of fraudulent web sites, . . . for example host phishing and/or malware sites.
  5. Send spam which in turn can distribute more malware.
  6. Steal sensitive information from each compromised computer that belongs to the botnet.
  7. Hosting the malicious phishing site itself, often in conjunction with other members of the botnet to provide redundancy.
  8. Many botnet clients allow the attacker to run any additional code of their choosing, making the botnet client very flexible to adding new attacks.


  1. Defense Department Cyber Efforts: DOD Faces Challenges In Its Cyber Activities, at 14.
  2. U.S. Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs), at 21.
  3. Botnets as a Vehicle for Online Crime, at 2 n.1.
  4. Proactive Policy Measures by Internet Service Providers against Botnets, at 6.
  5. See McAfee Virtual Criminology Report: Organised Crime and the Internet (Dec. 2006).
  6. See McAfee Quarterly Threat Report 2nd Quarter 2011 (full-text).
  7. See Joaquim P. Menezes, "Why We're Losing the Botnet Battle," NetworkWorld (July 26, 2007)[1]; Robert Lemos, “Breaking the Botnet Code,” Tech. Rev. (Nov. 11, 2009)[2]; Gregg Keizer, "Botnets 'the Swiss Army knife of attack tools'", Computerworld (Apr. 7, 2010)[3]; "Netherlands Home to Many Botnet Computers," (Jan. 14, 2011)[4]; "'Botnets Are the Criminals' Swiss Army Knife'", eco, Association of the German Internet Industry (June 24, 2011) [5].
  8. Cybersecurity Risk Management and Best Practices (WG4): Final Report, at 407.
  9. Id.; CERT Coordination Center, Botnets as a Vehicle for Online 6 Crime, at 7-16.[6]
  10. Susan MacLean, “Report warns of Organized Cyber Crime,” ItWorldCanada, Aug. 26, 2005.[7]
  11. McAfee Virtual Criminology Report: Organized Crime and the Internet (Dec. 2006).[8]
  12. Recommendations for the Remediation of Bots in ISP Networks.
  13. See, e.g., Tim Ferguson, Security Experts: Botnets Biggest Threat on Net, ZDNet UK, Apr. 11, 2008.[9]
  14. See, e.g., Marshall8e6, Are Bots About to Bring Down Your Business? at 2.[10]
  15. See 18 U.S.C. §1030.
  16. See, e.g., Stefanie Olsen, Exposing Click Fraud, CNET News.[11]
  17. See Cal. Penal Code §502.
  18. Malicious Software (Malware): A Security Threat to the Internet Economy, at 23.


External resources[]

  • Zheng Bu, Pedro Bueno, Rahul Kashyap, et al., "The New Era of Botnets" (McAfee 2010) (full-text).
  • CERT Coordination Center, "Botnets as a Vehicle for Online Crime," at 11, 20 (full-text).
  • Tim Cranton, "Cracking Down on Botnets," Microsoft on the Issues Blog (Feb. 24, 2010) (full-text).
  • Jaideep Chandrashekar, Carl Livadas, Steve Orrin & Eve Schooler, "The Dark Cloud: Understanding and Defending Against Botnets and Stealthy Malware" (Aug. 4, 2009) (full-text).
  • Online Trust Alliance, "Combatting Botnets Through User Notification Across the Ecosystem" (full-text).

See also[]