What’s a Botnet?

An army of infected computers that can send out 100 billion spam e-mails a day.


Microsoft revealed this week that it is helping law enforcement officials track down the operators of “botnets,” or networks of computers that can be used to send out spam messages without the knowledge of their owners. Though the software company is tight-lipped about the specifics, Canadian security forces have already used Microsoft’s information to bring down a botnet that infected close to 500,000 machines. What is a botnet, exactly?

It’s a virus, worm, or other piece of software—the “bot”—which runs covertly on a series of computers—the “net.” While several researchers are attempting to construct “good” botnets capable of protecting servers or undertaking massive computations, the term most often refers to viruses and other malicious programs that install on a computer without permission. Once a computer has been infected by a bot and recruited into the network—i.e., turned into a “zombie”—it surreptitiously communicates with a central command server or with other bots. Popular botnet activities include sending spam or flooding a targeted site with so much Web traffic that it’s forced to shut down. (The latter is known as a “denial of service attack.”)

At a recent conference of security analysts, one malware researcher reported that the 11 biggest botnets in the world comprise 1 million machines, and can send 100 billion spam e-mails per day. As security researchers develop more and more sophisticated means of tracking and detecting these threats, the authors of the predatory programs continue to find innovative ways to spread their bots and hide their tracks.

For example, early botnets tended to set up a direct line of communication between the infected computer and the person controlling the network—sometimes known as the “botmaster.” This was done via a communication system called Internet Relay Chat (which was also used in early instant messaging systems). But a system like this makes it relatively easy for researchers to isolate a copy of the bot software, dissect it, and track down the server where the bot is phoning home. More sophisticated virus programmers have now turned to peer-to-peer systems, where bots disseminate commands through the network, in a “pass it along” system of giving orders. This makes it harder for investigators to find the source of the commands.

Until recently, the most infamous of these threats was a botnet called Storm Worm, so named because it originally propagated through e-mails in early 2007 with the subject line “230 dead as storm batters Europe.” Microsoft claimed last week that its bot-hunting software had finally crushed Storm, but others were suspicious. In any case, Storm Worm is at the least significantly scattered, but several other botnets have taken its place. While researchers continue to track the newest threats, study their code, and devise new ways to detect and combat the bots, most concede that the computer security arms race won’t end anytime soon.

Got a question about today’s news? Ask the Explainer.

Explainer thanks Elizabeth Clarke and Joe Stewart of SecureWorks.