What Is a Botnet and How Your Device Could Be Part of One

A botnet is a network of computers — potentially millions of them — infected with malware and under the remote control of an attacker. The infected devices are called bots or zombies. Their owners have no idea. The attacker rents out the botnet's collective capabilities: sending spam, launching DDoS attacks, mining cryptocurrency, conducting credential stuffing attacks.

How Devices Get Infected

The infection vectors haven't changed much: phishing emails with malicious attachments, drive-by downloads from compromised websites, vulnerabilities in unpatched software, and — increasingly important — default credentials on IoT devices. The Mirai botnet in 2016 compromised hundreds of thousands of devices by simply trying factory-default username/password combinations on internet-connected cameras and DVRs. It then used those devices to launch a 1.2Tbps DDoS attack — the largest recorded at the time.

IoT devices are particularly attractive for botnets because they run continuously, have significant bandwidth, and are almost never monitored or updated. A router, a smart TV, or a network-attached storage device running old firmware is essentially a permanently open door.

Command and Control

Bots receive instructions through a Command and Control (C2) channel. Early botnets used IRC servers for C2. Modern botnets use encrypted HTTPS, peer-to-peer architectures, or even domain generation algorithms (DGA) that automatically generate hundreds of potential C2 domain names, making it hard to block or take down the infrastructure.

Wait — this matters. The C2 communication from an infected device is the detection point. Network monitoring tools that flag unusual outbound connections, unexpected connection destinations, or traffic to newly registered domains can catch botnet C2 communication. Most home users have none of this monitoring.

How to Tell If You're Infected

Symptoms include: unusual CPU or network usage at odd hours (bots often activate at night), email delivery failures (your IP has been blacklisted for spam), connections appearing in your router logs to unfamiliar IPs, and slow internet speeds caused by your bandwidth being used for attacks. Run your IP through a blacklist checker — if it's flagged, investigate before requesting removal.