Cyber Security

What are Botnets and How do They Work?

Each infected device is
called a bot or zombie.

In October 2016, a botnet called Mirai: helped trigger a wave of distributed denial-of-service (DDoS) attacks that disrupted major services across the internet. It was a wake-up call: everyday internet-connected devices-especially poorly secured IoT devices like cameras, routers, and DVRs-could be quietly hijacked and weaponised at scale.

Since then, botnets have evolved. Modern botnets aren’t just about “taking websites down.” They’re used to steal data, spread malware, commit fraud, mine cryptocurrency, deliver ransomware, and create a resilient criminal infrastructure that’s hard to dismantle. Some botnets are centrally controlled; others use peer-to-peer (P2P) designs to reduce reliance on a single command server. Many target the weakest links: outdated software, default passwords, exposed remote access, misconfigured cloud services, and unpatched routers.

This guide explains what botnets are, how they work, how they’re used, and-most importantly-what you can do to reduce the risk of your home devices or business network becoming part of someone else’s attack platform.

What Is a Botnet?

A botnet is a network of internet-connected devices that have been infected with malicious software and are controlled remotely by an attacker. Each infected device is commonly called a bot or zombie. The person controlling the botnet may be referred to as a bot herder, botmaster, or simply “the operator.”

Botnets can include:

What Is a Botnet?
Servers (including compromised cloud instances)
Smartphones and tablets
Home routers and modems
Smart TVs
Security cameras and DVR/NVR systems
Smart speakers and other IoT devices
Industrial and operational technology (in some cases)

A key point: devices often show few obvious signs of infection, especially IoT devices that don’t have a user interface. That stealth is what makes botnets so dangerous.

Why Botnets Matter

Botnets matter because they give criminals three critical advantages:

1. Scale – thousands (or millions) of devices can act together.

2. Anonymity – attacks come from victims’ devices, not directly from the attacker.

3. Resilience – even if some bots are removed, the botnet can keep operating.

That combination enables everything from nuisance spam campaigns to large-scale disruption of online services.

How Botnets Work (Step by Step)

While individual botnets differ, most follow the same lifecycle.

1) Discovery: Attackers Find Targets

Attackers look for devices they can compromise. Common discovery methods include:

Scanning the internet for open ports (e.g., remote admin panels, SSH, RDP, Telnet)
Searching for exposed devices via public indexing services
Targeting known vulnerable software versions
Phishing users into installing malware
Exploiting weak or default credentials on routers and IoT devices

IoT devices are frequent targets because they may be:

2) Compromise: The Device Gets Infected

A device can be infected in several ways:

Phishing emails that trick users into opening malicious attachments or links
Drive-by downloads from compromised or malicious websites
Software vulnerabilities in operating systems, apps, plugins, or firmware
Credential attacks (password spraying, brute forcing, re-used passwords)
Supply chain issues (less common but high impact)

For IoT, compromise often looks like:

3) Installation & Persistence

Once the malware runs, it typically:

On some IoT devices, persistence can be limited (depending on how the firmware works), but attackers compensate by re-infecting quickly if the device is restarted.

4) Command & Control (C2): The Bot “Phones Home”

The infected device connects to a system to receive instructions. C2 can be:

Centralised (classic model): bots connect to one or more control servers
Decentralised / P2P: bots communicate with each other to share commands
Domain-based: C2 domains rotate or change using algorithms
Social/messaging abuse: commands hidden in legitimate services (less common but seen)
Supply chain issues (less common but high impact)

To keep C2 infrastructure alive, operators often use tactics like:

5) Monetisation: Botnets Do the Attacker’s Work

Once the botnet is operational, the operator can “rent” it out or use it directly.

What Botnets Are Used For

Botnets are a criminal Swiss Army knife. Common uses include:

DDoS Attacks

DDoS attacks flood a target with traffic or requests to overwhelm services. Botnets are ideal for this because traffic comes from many locations, making it harder to block.

Common DDoS types include:

Spam and Phishing Distribution

Botnets can send spam at scale. Even a small portion of bots sending emails can generate huge volumes-often without the owner noticing.

Credential Theft and Account Takeover

Some botnets include modules designed to:

Ad Fraud and Fake Traffic

Botnets can generate fake ad impressions and clicks, inflating advertising spend and distorting analytics. This is especially damaging for businesses that rely on paid acquisition channels.

Malware Delivery (Including Ransomware)

Botnets are frequently used as initial access brokers-they compromise systems, then sell access to other criminals who deploy ransomware or data theft tooling.

Cryptomining

Some botnets deploy cryptominers to siphon CPU/GPU resources. On a single device, the impact may be small-but at scale, it becomes profitable.

Lateral Movement in Business Networks

In corporate environments, a compromised endpoint can be a foothold:

Signs Your Device Might Be Part of a Botnet

Botnet infections can be subtle, but these indicators are common:

On computers and phones

Unexplained slowness or overheating
High CPU/network usage when you’re not doing much
Security tools disabled or failing to update
Strange browser behaviour (new extensions, redirects)
Unexpected outbound connections (especially to unusual regions/domains)

On routers and IoT devices

Device becomes unreliable or resets frequently
Unexpected new admin accounts or settings changes
Remote access settings enabled without your knowledge
Router DNS settings changed (a major red flag)
Unusual outbound traffic spikes, especially at odd hours

In business environments

Multiple endpoints contacting the same suspicious domains/IPs
Large outbound traffic volumes not tied to business activity
Abnormal authentication attempts or lateral movement patterns
Endpoint detection alerts for suspicious persistence or C2 activity

Why IoT Devices Are Frequently Hijacked

IoT devices are often easier to compromise because:

In plain terms: IoT devices often don’t get the same security attention as computers, yet they sit on the same network-and they’re always on.

How to Protect Your Devices From Botnet Infection

Botnet attacks-Computing Australia Group

The best defence is layered: reduce exposure, harden devices, and monitor for suspicious behaviour.

1) Patch and Update Everything (Yes, Everything)

Practical tip: Put a recurring monthly reminder to check router/IoT firmware if auto-update isn’t available.

2) Eliminate Default Credentials and Weak Passwords

Change default admin usernames/passwords on routers and IoT devices
Use strong, unique passwords for all accounts
Use a password manager to generate and store credentials
Enable multi-factor authentication (MFA) wherever possible
Supply chain issues (less common but high impact)

For businesses: enforce MFA and strong password policies centrally (SSO where feasible).

3) Reduce Internet Exposure (Close the Front Door)

4) Use Quality Security Tools

For home users:For home users:

For businesses:

5) Segment Your Network (Especially IoT)

Network segmentation limits the blast radius.

Simple home approach: Use a “Guest” SSID for smart devices if your router supports isolation.

6) Secure Your Email (A Major Infection Vector)

7) Monitor and Respond

For businesses, monitoring is key:

For home users:

What to Do If You Suspect a Botnet Infection

For Individuals / Small Offices

1. Disconnect the device from the network (Wi-Fi off / unplug Ethernet).

2. Run a full malware scanusing reputable security software.

3. Updatethe OS, browser, and all applications.

4. Change passwords, starting with email and banking, and enable MFA.

5. If it’s a router/IoT device:

For Businesses

1. Isolate impacted endpoints (network quarantine).

2. Investigate (EDR telemetry, DNS logs, proxy logs, firewall egress).

3. indicators Block C2 (domains/IPs) across network controls.

4. Reset credentials that may be compromised; enforce MFA.

5. Hunt laterally: check for internal spread and persistence mechanisms.

5. Document and consider reporting where appropriate (industry/regulatory context).

Botnets vs. Other Threats: Quick Clarity

Think of “botnet” as the infrastructure attackers build, and other malware types as tools they deploy through that infrastructure.

It takes only a few minutes for devices to become infected. Unfortunately, till IoT manufacturers can plug in vulnerabilities, and create a more robust security environment, remaining vigilant is necessary. It is essential that all your devices are protected all the time with a comprehensive security cover. Speak to our cybersecurity experts for a complete security solution. Contact us or email us at cybersecurity@computingaustralia.group.

Jargon Buster

loT – Internet of Things – a collective term to describe physical objects that connect to the Internet. IoT devices generally mean devices that usually are not expected to have an internet connection, like smart security systems, fitness trackers or smart refrigerators. DDos attack – Distributed Denial of Service attacks are a form of cyberattack where a server is overwhelmed by more traffic than it can handle and shuts down.

Each infected device is called a bot or zombie.