Botnet Attacks

From ICANNWiki
Jump to navigation Jump to search

Botnet Attacks involve networks of infected computers controlled by a hacker or "botherder"[1] without the consent of the computers' owners.[2][3] These infected computers can be used in complex cyberattacks, including but not limited to Fast Flux attacks where the controller uses the botnet to hide his or her location, Spam attacks, DDOS attacks, and Phishing attacks, all without the knowledge of the computer's owner.[1][3]

The term botnet comes from the combination of robot and network.[2] Sometimes botnets are referred to as zombie computers or zombie networks because they infect other computers.[1][4] They can also be hard to detect and shut down once they are established, especially when the average user may not realize they are part of one.[5] For example, when part of the Kelihos botnet was taken down, it reappeared within 4 months.[6]

Notorious Botnets

Botnets are considered by the Internet security community to be a major threat to general security and personal information.[1][7] Individuals, however, may not be aware that their computers are infected, making botnets an insidious threat. Botnet attacks negatively affect the Internet community and many personal users through identity theft, poor computer performance, spam, and malware.

  • Emotet - (identified 2021, 2022); still active; compromised email addresses sending thousands of messages with malware-laden attachments, popularizing thread hijacking[8]
  • TrickBot - (2016); banking Trojan that can steal financial details, account credentials, and personally identifiable information[9]
  • 3ve - (2018); ad fraud
  • Mirai - (2016); first major botnet to infect insecure IoT devices
  • Methbot - (2015)
  • Mariposa - (2008); took credit card numbers and passwords to accounts on financial services sites using malvertising. Spanish law enforcement brought down the operation when they discovered a record of everyone who paid to rent the network.[10]
  • Kraken - (2008); first observed to use evasion techniques to avoid detection by anti-malware software, even when auto-updated.
  • Grum - (2012); pharmaceutical spam
  • Cutwail - (2007, 2014, 2018); still active
  • Storm - (2008); first known peer-to-peer botnets
  • EarthLink Spammer - (2000); phishing scams masked as communications from legitimate websites sent by Khan K. Smith

Historical Use

  • Botherders or controllers frequently target PCs without adequate security protection such as personal computers with Internet access.[11] Botherders can also create botnets by getting an Internet user to unintentionally download malware.[4] According to the GNSO's Registration Abuse Policies Working Group (RAPWG) report, botnet controllers can use registered or unregistered domains to give infected computers instructions or updates.[12] If the botnet had been communicating via a certain domain name and the name expires, the botnet may disappear temporarily but become active again when the domain is re-registered.[5]
  • According to a BBC news report, 5-10% of all computers are infected and act as part of a botnet.[5] Estimates about the relative sizes of botnets vary, starting with botnets as small as a few hundred computers leading up to botnets that exceed 50,000 compromised computers.[13] Some extensive botnets may have more than half a million infected computers.[7]
  • Botnets can be used in multiple ways that threaten Internet users. For example, botnets can relay information from individual computers back to the botherder by using keylogging software. This information, including passwords, credit cards, or bank account numbers, can then be used by the network controller.[11] Botnets can also be used in Distributed Denial of Service (DDoS) attacks, [11] fast flux attacks, phishing attacks, spam campaigns,[2] identity theft, clickfraud, and distributing malware.[1][14] Botnets can also affect mobile devices and phones, and a Symantec report stated that a botnet infected mobile app has generated anywhere from $1,600 to $9,000 per day.[6]
  • In 2014, the FBI in collaboration with law enforcement officials from multiple countries "disrupted" the Gameover Zeus botnet, which has allegedly been responsible for $100 million in losses.[15] This botnet is believed to comprise anywhere from 500,000 to 1 million computers.[15] The operator of this botnet could face bank fraud, wire fraud, conspiracy, and computer hacking charges.[15]

ICANN Policy

  • The GNSO's RAPWG looked at the issue of malware and botnet attacks as they may utilize registered or unregistered domain names.[12] However, some view botnets as outside the scope of ICANN policy.[12]
  • The 2013 Registry Agreement (RA), which all new gTLD applicants were required to sign, states that registries must require their registrars to include policies that prohibit registrants from activities like creating botnets.[16] Additionally, registries are required to "periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats" and to keep security files on threats and the remedial actions taken by the registries.[16]


  • The proposed Internet Spyware (I-Spy) Prevention Act and Cybersecurity Enhancement Act, neither of which passed the Senate, could have potentially create harsher punishments for cyber crimes.[19] In 2013, the EU approved new cyber-legislation that increases the culpability of botnet creators and sellers in addition to those that use them for criminal activities.[20]
  • Internet crimes, such as botnet attacks, are investigated by the Federal Trade Commission (FTC) and the FBI's cyber task force divisions.[4] In 2007, the FBI working in conjunction with New Zealand authorities and the U.S. Secret Service caught and prosecuted 8 people involved in botnet attacks.[21] The FBI's "Bot Roast" operations have "uncovered more than $20 million in economic loss and more than one million victim computers."[21]

Additional Resources

Related Articles


  1. 1.0 1.1 1.2 1.3 1.4 Bots and Botnets—A Growing Threat, Symantec Corporation
  2. 2.0 2.1 2.2 Botnet Attack Information, Kaspersky Lab
  3. 3.0 3.1 Botnets,
  4. 4.0 4.1 4.2 Botnets 101: What They Are and How to Avoid Them (June 5, 2013), Federal Bureau of Investigation
  5. 5.0 5.1 5.2 Zombie botnets: Why some crime networks refuse to die by Mark Ward (January 20, 2014), BBC
  6. 6.0 6.1 2013 Internet Security Report, Vol. 18 (PDF), Symantec Corporation
  7. 7.0 7.1 Security Threat Report 2014 (PDF), Sophos
  8. Emotet Email Aftermath, SpamHaus News
  9. Trickbot Alert, CISA
  10. Notable Botnets, Human Security Blog
  11. 11.0 11.1 11.2 botnet (zombie army) by Margaret Rouse (February 2012),
  12. 12.0 12.1 12.2 Working Group Final Report; Submitted on May 29, 2010 (PDF), Internet Corporation for Assigned Names and Numbers (ICANN)
  13. Lessons Learned (August 10, 2008), The Honeynet Project
  14. Uses of botnets (August 10, 2008), The Honeynet Project
  15. 15.0 15.1 15.2 by Grant Gross (June 2, 2014) PCWorld
  16. 16.0 16.1 View the Updated Registry Agreement (PDF), Internet Corporation for Assigned Names and Numbers (ICANN)
  17. Botnet Bandit Sentenced In Federal Malware Case by Bill Singer (September 6, 2012), Forbes
  18. Computer Fraud and Abuse Act (CFAA), Thomson Reuters
  20. EU approves stricter laws for punishing cyber crooks and botnet creators by Alastair Stevenson (July 5, 2013),
  21. 21.0 21.1 'Bot Roast II' Nets 8 Individuals (November 29, 2007), Federal Bureau of Investigation