What are some positive uses of botnets

What is a botnet and how does it work?

If your own computer suddenly runs slower, it is very possible that your computer has become part of a so-called botnet. A botnet is an amalgamation of many PCs to form a large, automated computer malware program. The computers within a botnet are called bots. The local resources and data of these bots are available to the botnet without the owner knowing about them or having given their consent. For this reason, the computer suddenly slows down, as part of the main memory is occupied by the botnet and increased swapping activity becomes visible.

Once your computer is infected, it can be used as a bot by the so-called botmaster (attacker) for its own purposes. The computers of a botnet are often used to send e-mail spam. However, other cybercriminal activities are also conceivable. The greatest danger in a botnet is, as you personally, that your computer carries out criminal acts for which, in the worst case, you have to be fully liable. So that this does not happen to you, we will introduce the botnet to you in more detail below and show you how such a network works.

What is a botnet?

From a technical point of view, a botnet or botnet is an association of independent computers that represent themselves as a single system. This cloud uses a computer without the consent of the owner. A botnet can also be described as an amalgamation of automated computer malicious programs, as the computers are infected with malware of the backdoor type and integrated into the botnet as a bot. This approach creates large networks and a botnet can be seen as a huge spider web that connects countless computers with one another.

PCs are infected unnoticed and controlled remotely by strangers (the botmasters). Therefore they are colloquially called zombies or zombie computers. The botnet operates in the background of the computer. It only works when the computer is up and connected to the internet. The owners of the PCs are nevertheless clueless and do not notice the work of a bot, since the main aim of the botnet is not to be discovered and so the botmaster can use the foreign computers for his own purposes.

Properties of a botnet

One important property of a botnet is the distribution of resources. Since the computer user should not notice anything from the botnet, the malicious application must behave inconspicuously. Therefore, the botnet client must run with idle priority in order not to slow down the user's PC. Furthermore, a bot may occupy a maximum of 15 percent of the free main memory so that the host does not become suspicious. If too much memory were consumed, there could be increased hard disk swapping activity, which could give the botnet away.

On the other hand, the botnet has the task of controlling the client application. If a botnet determines that the client is not working properly and complications arise, the malicious program is terminated. A third fundamental property of the botnet is that the botnet client gathers information about the host's hardware and software. Should malware require a specific operating system, the client can report whether this is the case.

The botnet also collects information about the speed of the Internet connection and the time during the day that the computer is in operation. In this way it can be calculated how many spam emails can be sent with the targeted computer and whether the computer is effective for one's own purposes and goals.

In the above figure, the functionality of a botnet is described in a simplified manner. Here you can see in the first step that the botmaster sends malware to different computers and that the botnet client reaches the individual bots via this. Once the bot has arrived on the infected computer, it connects to the Command & Control server. This server is usually an IRC server, but it can also be a completely normal web server (you can find out more about the different servers and botnet types in the section “The different botnet types”).

After the bot has been set up and has successfully contacted the botmaster, he can sell the botnet's computing power to interested “customers”. For example, if the “customer” is a spammer, the botmaster contacts his bots via the IRC server and orders them to send e-mail spam.

In addition to e-mail spam, there are many other possible uses for which a botnet can be used. We will introduce you to these various possible uses below.

Diverse application possibilities of botnets

Bot networks are used for various purposes. The US University of Berkeley offers legal use of a botnet. She wrote code for a benign botnet. Computer users can join these voluntarily and reduce IT costs for numerous research projects. Another legal and positive use is a botnet that researchers use to find intelligent life in space.

So a botnet can also have useful uses. However, the number of illegally used botnets is much higher. The infected computers are most commonly used to distribute spam. This is the most common way of using botnets. 80 percent of all spam e-mails get into circulation through infected computers. Phishing emails are sent using externally controlled PCs without the computer owner being aware of them. However, the spam sent does not have to come from the operators of the botnet. Because the networks are rented to spammers. This is a lucrative source of income for the botnet operators, but also for the spammers. It is not uncommon for them to earn up to $ 100,000 a year from their emails.

The botnets can also bring in illegal money through their sale or it serves as storage space for criminal activities. Botnets can also organize the procurement of sensitive data. For example, a computer's stored e-mail addresses can be stolen. The perpetrators use this data themselves or sell it at high prices on the Darknet.

In addition, a botnet can hide the original address of an offender. Because if a connection is established from an infected PC to a third computer through a botnet, the original address is concealed. With this anonymous access to the Internet, crimes can be committed without exposure. For example, websites can be hacked or stolen money can be transferred. The intermediary of a PC is also used to infect other computers with one of the many forms of malware.

The possibilities for criminal use of a botnet are therefore diverse and, in addition to sending e-mail spam, the botnet is probably the second most frequently used for DDoS attacks. These are attacks that can disable the availability of a server with a large number of false requests. The excessive number of requests leads to an overload of the server and the operator no longer has access to it. At this very moment, the bot operators approach those affected and demand money so that they can stop the attacks. The servers of companies that rely on a flawless Internet are particularly affected by this method. If there is a standstill during work or if the entire production is even paralyzed, this leads to losses for the company. Therefore, companies often pay the money to the extortionists.

DDoS attacks are not only carried out against private individuals and corporate servers. Servers of stately institutions and governments are also victims of cyber extortion. In the worst case scenario, this type of attack can lead to conflicts in individual countries if the attack takes place via the servers of another country.

The different types of botnets

Bot networks are divided into different types. Botnets can be differentiated according to the type of control by the botmaster or based on a classification of their control protocols.

Classification according to the type of control

When classifying botnets according to the type of control, two types of botnets are known. On the one hand there is Botnets with a control center. This control center, also known as the Command & Control Center, connects all zombie computers. It also registers new bots in the center's database, monitors them and sends them the botmaster's commands. All infected PCs are visible in the control center. Access to the central zombie computer network is only possible through the command center. They are the most common type of botnet. That's because they're easy to develop and manage. However, they can also be quickly neutralized from the outside.

On the other hand there is decentralized botnets (P2P) that are not connected through a control center. In the P2P networks, only a few zombie computers are directly connected to one another. Each bot only has a few addresses from infected PCs. And those with whom he is connected. In contrast to the bot network with a control center, in the P2P network the operator only needs to access one of the computers concerned in order to control the decentralized network. The construction of this type of botnet is complex and difficult to deactivate from the outside.

Classification according to the control protocol used

A botnet can also be classified according to the network protocol it uses. The botmaster's commands only reach all affected PCs if there is a connection between them and the control computer. The data traffic that runs over networks follows protocols. These protocols regulate the communication between botmaster and botnet.

Within this classification there are the botnets that IRC-oriented network protocols use for communication. Here the control of the bot is based on the Internet Relay Chat, or IRC for short. Every zombie computer carries the address of an IRC server and establishes a connection to it. The infected computer then receives the botmaster's commands via an IRC channel.

It is similar IM-oriented network protocol. One difference is that the data transfer takes place via messaging services. Each zombie PC must have its own IM account (instant messaging account). Each bot must also have its own access data. These restrictions mean that the IM-oriented network protocols are among the least common types of botnets.

The Web-oriented botnet type is controlled via the internet. He is a relatively new type and connects to a selected server. He receives his commands and sends him data. This quickly developed type is set up in a very short time and can use many web servers.

There are also botnet types that only work on the TCP / IP stack based. Your communication takes place via its own protocol. These are general protocols like TCP, ICMP, and UDP.

Communication with the botmasters

A botnet client cannot communicate with a command and control server at a fixed address. If a bot client has successfully established itself in a computer, it can, for example, contact its creator by changing domain names. The bot draws attention to itself with apparently randomly generated names, such as exxkvcz.cc. The operators notice the domain and register it under a false name. As soon as an affected PC contacts the botmaster, it receives new commands and new malware.

Another way a botnet can communicate with its operator is by forwarding it on a specific port. If the infected computer is directly on the Internet or is connected via a router (it must be able to use UPnP or NAT-PMP), the botnet client can establish a connection to a port through which it can send commands.

The spread of the bot

Infecting a computer with a botnet is quick. If a user arrives at an infected website and does not follow the rules for good virus protection, the malicious code is attached unnoticed. Once infected with the botnet client, it is not so easy to get rid of it.

The botnet client can also sneak in via email. If an email contains the bot's installation program as an attachment or the email forwards a link to an infected website. During the installation of harmless programs, a Trojan horse can also get onto the computer. This enables the botnet to access the system. A running bot network receives new computers and can expand its range.

Once the botnet client has been installed on the computer, it seldom or not acts on its own. Rather, it waits for commands from the command and control server. An important task of the bot is to reload additional software on the infected servers. With the new programs, further activities can run unnoticed in the background.


Botnets can do a lot of damage and are more prevalent than you might think right now. According to projections by the anti-botnet advice center of the Internet association Eco, around 40 percent of all computers in Germany are already part of a botnet or could easily be integrated into one.

If you look at the possible uses of a botnet and what impact the activities of the operator can have, the primary goal of every computer owner should be to protect himself from this threat. The first step in protecting yourself against this type of cybercrime is to use a good antivirus program and a working firewall. The firewall alone can work wonders, as it regulates the incoming and outgoing Internet connection and informs you, the user, about programs that want to establish a connection to the Internet. With this notification, you could, for example, identify malware that has just been installed and that would like to contact its operator.

Category: General