As large networks of compromised computers, botnets have been around for years. The idea of creating a whole network of infected machines that can be used to carry out large-scale cyber attacks and spread malware has undoubtedly changed the internet as we know it today.
Botnets are the driving force behind the vast majority of cyber attacks targeting not only WordPress websites and servers but whole networks and computer systems. Beyond a shadow of a doubt, the modern world of cyber security revolves around networks of bots as the heart of the whole economy that rules the dark web.
The ecosystem has evolved so much that the existence of botnets has created a new trend in the cyber security industry, known as an attack as a service or botnet as a service. Botnet creators would rent out the computing power and resources of the compromised machines under their control to third parties to launch cyber attacks of different kinds.
WordPress sites fall victim to bot-driven attacks and get drawn into botnets more often than you can imagine. In fact, the vast majority of the time a WordPress website is hacked, it becomes part of a network of other compromised websites and servers. Botnet malware lies dormant in the system until the bot master decides to use your website to launch an attack. In addition to the obvious negative consequences malware infections have, being part of a botnet will make your website extremely slow as the hacker will now use your server resources to power new attacks.
To make matters worse, leaving a botnet is not at all an easy task. An attacker would make sure to leave carefully crafted backdoors to take advantage of your WordPress website for as long as possible. This is why knowing how exactly botnets work and how to protect your WordPress site is imperative.
In this comprehensive guide to networks of bots, we take a deep dive into the history and architecture of botnets, uncovering the mystery that lies behind modern, highly distributed, bot-driven cyber attacks. You will learn about some of the most prominent botnets that exist today and how you can protect yourself and your business from the destruction they carry.
What is a Botnet?
A botnet, which stands for a network of bots, is a distributed system of compromised computers infected with the same type of malware that allows the attacker to use the consolidated pool of computing resources to launch large-scale cyber attacks. Aside from carrying out cyber attacks, botnet owners can use the network-infected computers to perform other activities, such as mining cryptocurrency or boosting views on an advertisement or video.Â
Running a botnet is illegal, and many known networks of bots were eventually shut down, with their owners arrested. Despite the fact that it’s often hard to identify the owner of a particular botnet, it is not impossible.
How Large Are Botnets and What Kind of Devices Form Them?
When it comes to network size, botnets vary dramatically. The same goes for the types of infected entities that form a botnet. There can be from just a couple of infected websites to hundreds of thousands of compromised computing systems. This depends on what systems an attacker operating a botnet targets most.
 Here are the main types of devices that form botnets:
- Personal computers and mobile devices. Desktop computers, laptops, smartphones, and tablets running different operating systems.
- Internet of things (IoT) devices. Smart home devices, fitness trackers, and smartwatches.
- Network core devices. Packet switches such as routers.Â
- Servers and individual websites.Â
Most of the time, hackers target personal computers, mobile devices, and servers to infect them with botnet malware and connect them to the existing network of bots. However, WordPress websites can also be entities forming a botnet. In this way, your site content is not the target for hackers, but your site’s server resources are extremely valuable in a botnet. The main difference between these situations is the level of control an attacker gains over the compromised system.
If a WordPress website is compromised with the purpose of adding resources to a botnet, in most cases, the attacker won’t be able to gain root, or admin, level access to the server. This means that they will be limited to the number of server resources and the level of system access the compromised website, or rather the system user that owns the website, has.Â
How are Botnets Created?
Botnets are created by infecting computer systems with malicious software, which in most cases comes in the form of a trojan horse virus that a user can inadvertently download or the malicious payload hackers install on an already compromised server or website. Using this special type of malware, also known as a botnet, a hacker maintains control over the infected victim’s system and uses it to perform fraudulent activities by sending instructions over the network.
Once installed, botnet malware makes the compromised system distribute it further, infecting more computers that will be connected to the fraudulent network. One of the main reasons why botnets rely on constant expansion is the difficulty of maintaining access to compromised systems. The backdoor created by a botnet can be discovered and removed at any moment, which means that the endpoint will be disconnected from the network of bots and will no longer be controlled by the hacker.Â
Common Ways Botnet Malware is Distributed
How exactly is botnet malware distributed? Botnet malware can be spread by using a wide range of techniques, which often include social engineering, exploiting a vulnerability, or carrying out a brute force attack to gain unauthorized access to the system to upload a malicious payload.
Personal Computers and Mobile Devices
Surprisingly, when it comes to getting control over personal computers and mobile devices, sending out malicious email attachments is the number one method hackers employ. Files such as Excel spreadsheets and Microsoft Word documents, as well as file archives, are the most common ways botnet malware is distributed. One of the most notorious botnet malware, Emotet, is believed to be distributed via malicious email attachments.
However, even if the victim downloads the attachment, it is not enough for the botnet malware to be activated on their device. A user has to confirm certain seemingly harmless activities, such as running macros or enabling file editing, that will trigger the infection and grant the attacker full system access to the target computer, including all data stored on it.
Aside from this method, botnet malware can also be distributed using cross-site scripting attacks or disguised as legitimate software a user is invited to install. Compromising websites of interest to the targeted users in order to infect their personal devices is commonly known as a watering hole attack and is widely used by botnet owners.Â
Servers and WebsitesÂ
Servers and websites typically can not be infected with botnet malware the same way as personal computers and mobile devices. An attacker typically exploits a vulnerability to gain system or website-level access to a victim server and then uploads malicious software that will then allow them to establish control over it.Â
Websites compromised by the attacker will then be used to distribute botnet malware further by injecting malicious code into them. Users visiting infected sites will have the malware downloaded and activated on their devices that will become a part of the same network of bots. Ensuring that your site is adequately protected by a security solution like iThemes Security not only helps your site defend against these attacks, it helps your site not to infect others, stopping botnets in their tracks.Â
Client-server and Peer-to-peer: The Architecture of a Botnet
Botnets are typically built on one of the two main network application models: client-server and peer-to-peer (P2P) architectures. The client-server model remains the most prevalent architecture not only botnets but also most web applications take advantage of.
The client-server architecture is used to create a centralized model, where the attacker’s machine, also known as a bot herder, sends out instructions to zombies, or bots, that form a botnet. Zombie computers, in turn, do not directly communicate with each other. Large botnets can be driven by multiple bot herders – proxies – to help make the management process easier.
In some cases, botnets can use the decentralized model that employs peer-to-peer communication. Decentralized botnets can have the instructions passed from one zombie computer to another, subsequently spreading the commands across the whole network of bots. The P2P architecture makes it more complicated to identify the herder and uncover the identity of the bot master.Â
Along with the bot herder initiating a connection to a zombie computer, infected devices often send requests to the bot master at regular intervals to check for new instructions. Most botnet malware is configured to remain inactive for a long period of time to escape detection.
The Command and Control (C2) Server as The Heart of a Botnet
The bot herder, which represents the bot owner’s computer used to issue commands to zombie machines, is known as the command and control server, or C2. The command and control server lies at the heart of each botnet and allows the attacker to communicate with the compromised systems using either the client-server or peer-to-peer network application architectures.
Once a new zombie computer is added to a botnet, the command and control center forces it to create a communication channel for the attacker to establish a hands-on keyboard presence on the infected device. This is achieved via remote access tools.Â
C2C servers often resort to using trusted and rarely monitored traffic, such as DNS, to send instructions to infected hosts. To avoid discovery by law enforcement, the locations of command and control servers are frequently changed by the bot master, and malicious techniques such as domain generation algorithms (DGA) are often employed.Â
Top 3 Largest and Most Popular Botnets Created
Botnets are believed to have emerged in the early 2000s and have evolved ever since. One of the first known botnets was discovered in 2001. A huge network of bots was created to launch spamming campaigns that accounted for around twenty-five percent of all unsolicited emails sent at that time.Â
Since then, numerous large botnets have been discovered and dismantled. However, some networks of bots containing hundreds of thousands or even millions of compromised computers still exist today and are actively used to carry out large-scale cyber attacks.Â
The top three largest and most popular botnets that exist today are Mantis, Srizbi, and Emotet botnets.Â
Mantis botnetÂ
In 2022, CloudFlare reported that its network was targeted by a massive DDoS attack, with 26 million web requests per second hitting the infrastructure. CloudFlare called it the largest DDos attack they had ever mitigated and revealed that the Mantis botnet used only approximately 5000 bots, which is just a small fraction of the botnet’s total computing power.Â
To take matters further, all requests were sent via HTTPS, which is significantly more expensive and difficult to achieve in terms of a DDoS attack. This has made the Mantis botnet one of the most powerful networks of bots currently in operation.
Srizbi botnet
The Srizbi botnet has been around for over a decade and is believed to be responsible for sending out over half of all the spam sent by all other major networks of bots combined. The botnet is estimated to have around half a million infected endpoints in control and is rapidly expanding by distributing the so-called Srizbi trojan.Â
Emotet botnet
Starting out as a banking trojan aimed at stealing credit card information from infected computers, Emotet has quickly evolved into a huge botnet with over half a million compromised endpoints all over the globe. Emotet malware is known to be distributed through malicious email attachments sent from infected computers. Emotet is one of the most popular botnets on the dark web that can be rented out to various hacked groups, which we will discuss in more detail further in the article.
5 Common Types of Attacks Carried Out by Botnets
Botnets are versatile tools that can be used to perform various fraudulent activities. In addition to using the network of compromised computers to attack other network endpoints and spread malware, the bot owner can steal sensitive information from zombie devices. This makes botnets the centerpiece of cybercrime.Â
Here are the top five types of cyber attacks botnets are used for:
- Distributed denial of service (DDoS) and brute force attacks.
- Phishing attacks.
- Spam campaigns.
- Malware distribution.
- Data theft and ransomware attacks.
DDoS and Brute Force Attacks
Distributed denial of service and brute force attacks are the most common cyber attacks carried out by botnets. Using a pool of computing resources that a network of zombie devices creates, attackers launch large-scale attacks that can target hundreds of thousands of servers and websites, with millions of malicious web requests sent out per second.Â
Phishing
A network of compromised websites is often used to launch massive phishing attacks. The command and control server distributes a series of phishing pages across the botnet that will be used to trick users into giving away their login credentials and other sensitive information.Â
Spam
Launching massive spam campaigns is one of the first purposes botnets served. The botnet owner would create a series of unsolicited emails containing links to infected websites or malicious attachments in order to distribute malware or facilitate phishing attacks.
Malware Distribution
Malware distribution is key to ensuring a botnet can survive long-term, compromising more devices. Zombie computers constantly scan large networks for vulnerabilities, subsequently exploiting them to distribute botnet malware. Infected websites and servers forming a botnet are used to host malicious web pages or malicious redirects that will trigger malware to be downloaded to the visitor’s devices with the same purpose.Â
Data Theft and Ransomware Attacks
Sometimes botnet owners can target specific organizations and their networks to steal confidential information and install ransomware. The obtained data can then be used to extort money and ruin the victim company’s reputation and operations or sold on the dark web. To gain unauthorized access to large computer networks, attackers can use a combination of social engineering and the fraudulent activities mentioned above.
Attack as a service: How Botnets are Rented Out On the Dark Web
Botnets have been gaining popularity on the dark web as a managed criminal service that can be bought or rented out from a botnet owner. Instead of creating a new network of bots, hackers can access the computing resources of an already-established botnet to execute fraudulent campaigns. This brings a new term to the world of cyber security – attack as a service, which is in some ways similar to the well-established concept of infrastructure as a service (IaaS).Â
Today, the dark web is governed by a whole economy revolving around botnets and botnet malware. In addition to renting out or selling networks of bots, hackers sell access to compromised websites and servers to expand existing botnets and propagate botnet malware.
How to Protect Your WordPress Site from Becoming Part of a Botnet? Top 3 Security Recommendations
As the most popular content management system in the world, WordPress makes a high-priority target for botnets and bot-driven cyber attacks. Because WordPress sites are so common, using them to distribute botnet malware and carry out network attacks continues to be an attractive method for malicious attacks.Â
Many WordPress websites get compromised as a result of a successful bot-driven attack and then become a part of the botnet behind it. The backdoors left by attackers can be extremely difficult to remove, which can leave an infected website in an attacker’s control for months or even years.
Being a part of a botnet can significantly damage the reputation of your business and lead to massive financial losses and, in some cases, legal implications as a result of data breaches. Reducing the attack surface is key to ensuring sufficient protection against common attack vectors.
Configure Automatic Updates and Install Software Only from Trusted Sources
Attackers are constantly scanning websites for vulnerabilities to exploit. When it comes to WordPress, the main security flaw exposing websites to compromises is outdated and unreliable software. This includes the WordPress core, themes, and plugins installed, as well as the PHP version in use.Â
Regular updates are released for all critical aspects of the WordPress ecosystem, rapidly patching all critical vulnerabilities discovered. Trusted plugin and theme development companies make sure to maintain a high level of security for their products.Â
Configuring automatic software updates is an important part of ensuring your WordPress website security. iThemes Security Pro can keep track of all core, plugin, and theme updates and automatically install new versions of software released. If you own more than one blog or business website built on WordPress, iThemes Sync Pro provides a single dashboard to work with updates and track uptime and SEO metrics on all websites you manage.
Set Up Multi-factor AuthenticationÂ
Bot-driven brute force attacks targeting WordPress have an astonishingly high success rate. Gaining access to the WordPress admin dashboard gives the attacker full control over your website. Using just password-based authentication means that hackers are just one step away from successfully impersonating you as the rightful website owner.
Passwords are broken, and brute force attacks carried out by botnets can crack your WordPress admin account fairly easily. Using multi-factor authentication, such as passkeys with biometric authentication offered by iThemes Security Pro, effectively eliminates the risk of taking over your admin account as a result of a successful brute force attack.
Use a Web Application FirewallÂ
Cloud-based and host-based web application firewalls are a strong first line of defense against the vast majority of distributed bot-driven cyber attacks targeting WordPress websites. By filtering out malicious web requests matching known patterns, WAFs can successfully mitigate denial of service and brute force attacks, as well as data injection attacks such as SQL injections.Â
Configure a robust web application firewall with a number of managed rulesets. This, combined with using multi-factor authentication, will dramatically reduce the attack surface and the probability of your WordPress website becoming a part of a network of bots.Â
Let iThemes Security Pro Protect your WordPress Website
Botnets are behind most large-scale cyber attacks launched on the internet. Using a highly distributed network of bots, hackers perform a wide range of fraudulent activities, from denial of service attacks to data theft. Botnets are constantly expanding their infrastructure by distributing a special type of malware aimed at gaining full control over victim devices.
Zombie computers establish a combination channel with the bot master’s device, known as the command and control server, that will be used to send and receive further instructions. To avoid prosecution, botnet owners employ a range of sophisticated techniques that allow them to stay anonymous.Â
WordPress websites are the number one target for botnets. Reducing the attack surface by regular vulnerability patching, using a web application firewall, and configuring multi-factor factor authentication is the security standard for defending WordPress against bot-driven attacks.Â
With thirty ways to protect critical areas of your WordPress website, iThemes Security Pro can become your personal security assistant. Combining the power of the security plugin with a strong backup strategy that BackupBuddy can help you build will help you achieve a great level of security for your business and its customers.
Kiki has a bachelor’s degree in information systems management and more than two years of experience in Linux and WordPress. She currently works as a security specialist for Liquid Web and Nexcess. Before that, Kiki was part of the Liquid Web Managed Hosting support team where she helped hundreds of WordPress website owners and learned what technical issues they often encounter. Her passion for writing allows her to share her knowledge and experience to help people. Apart from tech, Kiki enjoys learning about space and listening to true crime podcasts.
