Successful Global Botnet Takedowns

Botnets are on the rise, and they’re hard to detect and mitigate. Here’s how they work—and how they’re stopped.

Black background on left with image of human head and shoulders formed from different hexagonal shapes

Internet service providers (ISPs) and enterprises are under constant threat from distributed denial-of-service (DDoS) attacks, but few are as damaging as direct-path botnets (short for “robot networks”). They’re incredibly efficient because, unlike a typical malware attack, a botnet can have thousands or even millions of bots targeting network-connected devices, leading to website outages or a hostage situation designed to elicit ransom.

At NETSCOUT we’ve seen a dramatic uptick in botnets since 2021. Some were successfully mitigated via robust, coordinated efforts by security researchers and law enforcement agencies, while many remain active today.

How Do Botnets Work?

Botnets are very difficult to stop because they exploit network vulnerabilities, aren’t easily detected, and can remain active for years or even rented/sold to other bad actors. They’re controlled by command-and-control (C&C) servers that send out instructions to the zombie computers (bots) within its botnet, so there can be millions of attack fronts.

Once C&C servers are established, cybercriminals distribute malicious software—or malware—that turns ordinary computers into bots so they perform automated tasks over the internet without the rightful user knowing it. Once a network of infected computers is established, criminals direct them with the C&C servers to great effect. Popular targets of botnets are financial institutions, hospitals, government agencies, universities, defense contractors, and ordinary individuals.

Botnets are used in DDoS attacks, malware distribution, phishing emails, spambots, proxy services, and other criminal activity. They can also be used to collect intelligence on geopolitical adversaries or to target critical infrastructure.

Botnets Can’t Hide for Long

Although there are several successful botnets that managed to do incredible damage, many are eventually detected and dismantled. Let’s take a closer look at a few of those success stories.

Mariposa, Spanish for butterfly, was designed to steal credit card numbers and passwords to financial services using “malvertising,” or digital ads. Through criminal affiliates in a “pay-per-install” scheme, in 2008 this malware began spreading to 12.7 million computers from 190 countries. It was among the largest known botnets ever discovered at that time. Law enforcement managed to crush the operation and later a larger hacking forum was also deemed responsible, with more than 70 arrests made. After a two-year investigation, a Slovenian man was found guilty of creating the botnet and sentenced to almost five years in prison.

In 2010 the Grum botnet, briefly the world’s largest, was sending out pharmaceutical spam emails at the rate of up to 40 billion per month, comprising 26 percent of spam across the planet. Grum’s C&C centers were discovered by law enforcement in the Netherlands, Panama, Russia, and Ukraine, and the botnet was successfully taken down in 2012.

In 2017, the Federal Bureau of Investigation (FBI) joined forces with the U.S. Department of Homeland Security to investigate massive online advertising fraud perpetrated by the 3ve botnet. This resulted in a major takedown a year later that led to the arrest and indictment of several individuals from Russia and Kazakhstan.

Most recently, in 2022 the U.S. Department of Justice successfully shut down a major Russian botnet called RSocks that was posing as a proxy service and featured millions of infected devices worldwide that included routers, video-streaming devices, Androids, and even smart garage door openers. The FBI hasn’t yet released details about who was behind this attack, but with help from European authorities, the RSocks website was seized and now shows a banner from the FBI.

How Can I Protect My Network?

There are a few things you can do to mitigate or prevent botnet attacks, such as keeping systems and device software up to date, running regular malware scans, closely monitoring network activity, using complex passwords, deploying multifactor authentication, and checking for multiple failed login attempts.

It’s also wise to utilize a non-administrator account whenever feasible, use caution when clicking on links or opening email attachments, limit file sharing, and deny pop-up windows that ask you to download software. But even these efforts may prove ineffective against determined adversaries and their army of globally distributed bots because it only takes one wrong click to download malware that arrives from a trusted coworker, friend, or relative who’s innocently unaware of what they’re spreading.

Learn More

As difficult as botnets and their bots are to prevent, there are many ways to protect your network. NETSCOUT just released our fifth anniversary DDoS Threat Intelligence Report, “Unveiling the New Threat Landscape,” with findings from the second half of 2022. Take a closer look to understand current cyberthreats and determine your own security vulnerabilities.
Check out the latest NETSCOUT Threat Intelligence Report.