The Largest Botnets

With the arrest of the 911 S5 botnet mastermind in May of 2024, we explore the largest botnets of all time, delving into their complexities and the ongoing efforts to combat them, highlighting the relentless pursuit of justice in the digital age. A bot is an automated software program that performs tasks over the internet. While not always malicious, search engines and researchers use bots to automate tasks for example, but bots can also be utilized for nefarious means in networks known as botnets to execute malicious activities such as spamming, data theft, or launching cyberattacks such as Distributed Denial of Service (DDoS) attacks. These bots can infiltrate an array of devices ranging from mobile phones and computers to smart TVs and even internet-connected fridges, turning everyday gadgets into unwitting perpetrators of cybercrime. As the digital landscape evolves, these versatile botnets become more sophisticated, making the fight against them increasingly challenging but crucial in safeguarding the interconnected world. Whether you’re a tech enthusiast or a cybersecurity professional, understanding the largest botnets is key to navigating today’s digital landscape.

Mirai

Number of infected Devices: 600,000

First Detected: August 2016

The Mirai botnet stands out as a notorious example of malware exploiting Internet of Things (IoT) devices to form an extensive network of compromised systems. Initially identified in August 2016 by the cybersecurity group “MalwareMustDie”, Mirai primarily focuses on devices running Linux, such as IP cameras and home routers. It transforms these devices into remotely controlled bots used for various malicious purposes, especially Distributed Denial of Service (DDoS) attacks.

Key Aspects of the Mirai Botnet

Infection Mechanism: Mirai spreads by scanning the internet for vulnerable IoT devices, utilizing a list of more than 60 common default usernames and passwords. Once a device is compromised, Mirai infects it without altering its normal operations, thereby making detection difficult. Post-infection, it blocks remote administration ports and can reinfect devices after they reboot, provided the default credentials are unchanged. DDoS Attack Capability: The botnet gained notoriety through its involvement in some of the largest recorded DDoS attacks. Significant incidents include an assault on the cybersecurity blog Krebs on Security, with an attack peaking at 620 Gbps, and a substantial attack on Dyn, a DNS service provider, which disrupted access to major sites like Twitter and Netflix in October 2016. These incidents highlighted Mirai’s ability to mobilize hundreds of thousands of compromised devices to inundate targeted servers. Evolution and Variants: The original creators of Mirai released its source code to the public, resulting in multiple variants. These variants often include added functionalities or target different vulnerabilities, complicating efforts to fend off such botnets. Variants such as “Okiru” and “Reaper” are noted for their advanced capabilities compared to the original Mirai.

Impact and Legacy

The Mirai botnet’s influence extends beyond immediate disruptions, underscoring significant security weaknesses in IoT devices. Typically designed with ease-of-use prioritized over security, many such devices become easy prey for botnets. The legacy of Mirai is its continued evolution through new variants, representing a persistent threat in a progressively interconnected world. In essence, the Mirai botnet is a pivotal cybersecurity case study, showcasing how easily IoT devices can be co-opted into powerful networks capable of executing large-scale cyberattacks. Its impact remains relevant as organizations strive to strengthen defenses against similar threats presented by evolving botnets.

Srizbi

Number of infected Devices: 450,000

First Detected: March 2007

Taken Down: November 2008

The Srizbi botnet, also known as the Cbeplay or Exchanger botnet, was one of the largest and most infamous botnets, primarily operational during 2007/2008. At its peak, it was estimated to have controlled hundreds of thousands of computers worldwide. The botnet was primarily used for sending out massive volumes of spam emails, accounting for a significant portion of global spam traffic. Srizbi was particularly notable for its sophisticated architecture and resilience. It used a decentralized command and control (C&C) infrastructure, which made it difficult to dismantle. The malware that powered the botnet was designed to operate in kernel mode and had rootkit capabilities, making it stealthy and hard to detect. Additionally, Srizbi included mechanisms for self-replication and could propagate via infected email attachments or through compromised websites. Efforts to disrupt the Srizbi botnet were part of larger global campaigns against cybercrime. In 2008, a major takedown was achieved when a key hosting provider, McColo, which was serving as the C&C server, was shut down. This led to a significant drop in global spam volumes. The case of the Srizbi botnet underscores the challenges in combating cybercrime, particularly when dealing with complex and resilient networks. It also highlighted the importance of international cooperation and the need for continuous vigilance in cybersecurity efforts.

Methbot � Ad Fraud Botnet

Number of compromised devices: 571,904 IP addresses

Botnet Damages: $180 million

Active Since: 2016

Taken Down: 2018

The Methbot botnet was a well-organized cybercrime operation that focused on digital ad fraud and click fraud. It involved using a vast network of hijacked IP addresses and automated bots to mimic human web traffic. The bots were programmed to visit fake websites created by the operators, generating 200-400 million fake video-based ad impressions per day. By simulating legitimate interactions with ads, Methbot tricked advertisers and ad networks into paying for non-existent traffic. This scheme exploited vulnerabilities in the online ad ecosystem and, at its peak, was said to generate millions in fraudulent ad revenue daily. Methbot’s scale, sophistication, and impact underscored the challenges in securing the digital advertising industry against such fraud.

The Storm Botnet

Active From: January 2007

Active Until: Declined rapidly 2008

Size: Up to 1 million IP addresses

The Storm botnet was a large and sophisticated network of compromised computers, first identified in January 2007. It spread primarily through spam emails that contained malicious attachments or links, which, when opened, would infect a user’s computer with the Storm Worm. This malware turned the machine into part of the botnet, allowing it to be controlled remotely by the botnet operators. The botnet was used for various malicious activities, including sending out massive amounts of spam, launching Distributed Denial of Service (DDoS) attacks, and conducting other forms of cybercrime. At its peak, it was estimated to have compromised millions of computers worldwide, making it one of the largest botnets of its time. The Storm botnet was notable for its resilience and complexity, using techniques such as peer-to-peer (P2P) networking to avoid a single point of failure and to make it more difficult to dismantle. It also employed fast-flux DNS techniques, which involved rapidly changing IP addresses to evade detection and tracking. While the Storm botnet declined significantly by 2008 due to increased awareness, countermeasures from security companies, and legal actions, its innovative techniques influenced future botnets and cyber threats.

Emotet

Number of Infected Devices: 1.6 million IP addresses.

Cost: 14.5 million in high-profile attacks in Germany alone.

Jurisdictions involved in takedown: Ukraine, Germany, and the United States

The Emotet botnet was a sophisticated and highly modular form of eponymous malware that first emerged around 2014. Initially developed as a banking Trojan, it has evolved into one of the most notorious and damaging cyber threats, dubbed the world’s most dangerous malware by Europol. Emotet is primarily spread through spam emails, which often contain malicious attachments or links. Once a system is infected, Emotet can steal sensitive information, deploy additional payloads, and propagate within networks. Key characteristics of Emotet include:

1. Modular Design: Emotet’s modular architecture allows it to download and execute various types of malware, such as ransomware and other banking Trojans, increasing its versatility and impact.
2. Polymorphic Nature: Emotet frequently updates its code to evade detection by antivirus software, making it difficult to combat.
3. Spam Distribution: The botnet is known for massive email campaigns that distribute the malware to millions of potential victims worldwide, delivered through a macro attachment.
4. Lateral Movement: Once it infects a machine, Emotet can spread to other devices on the same network, escalating its reach and impact within an organization.
5. Use of Stolen Credentials: Emotet often uses stolen credentials to infiltrate networks and systems, making it a persistent threat. In 2017, one particular school in North Carolina had their systems disabled for two weeks, with a total loss of $1.4 million.

[EMOTET is the] world's most dangerous malware

Europol

Over time, social leaks such as the botmaster’s oversharing on their Twitter accounts ultimately helped to identify them, and since law enforcement and cybersecurity organizations have conducted several operations to disrupt Emotet’s infrastructure, including a raid by Ukrainian police in Kharkiv, leading to temporary decreases in its activity. However, due to its resilience and adaptability, it continues to be a significant concern in the cybersecurity landscape.

3ve Botnet

Number of infected PCs: Over one million

Discovered: 2017

Taken Down: 2018

Amount of Money Stolen: $30 million

The 3VE botnet was a sophisticated ad fraud operation uncovered in 2017. It was responsible for generating fake internet traffic to manipulate digital advertising markets and defraud businesses out of millions of dollars. The botnet employed a complex infrastructure, including data centers and computers infected with malware, to simulate the activity of human users. By masquerading as legitimate users visiting websites and clicking on ads, 3VE generated fraudulent ad impressions and clicks at a massive scale. The operation was notable for its use of diverse tactics, including domain spoofing, where fraudulent domains mimicked real websites to deceive advertisers. It also leveraged advanced techniques to evade detection, such as using real-time bidding platforms to perpetrate its fraud. 3VE was dismantled through a collaborative effort. The takedown not only disrupted the botnet’s operations but also highlighted the growing challenges in combating cybercrime in the digital advertising ecosystem.

ZeroAccess

Number of Infected PCs: Over 2 million

Law enforcement: Germany, Latvia, Luxembourg, Switzerland, The Netherlands, and Europol.

Crimes: search hijacking, and click fraud.

First Discovered: May 2011

The ZeroAccess botnet, first identified in May 2011, was a sophisticated and widespread form of malware that affected millions of computers globally. It primarily targeted Windows operating systems and operated as a peer-to-peer network, making it resilient against takedown efforts. ZeroAccess was designed for various malicious activities, including click fraud and Bitcoin mining, which generated significant profits for its operators. Click fraud involved the botnet generating false clicks on online advertisements, defrauding advertisers by inflating web traffic statistics. Meanwhile, the botnet’s Bitcoin mining capabilities used the infected computers’ resources to mine cryptocurrency, with the rewards funneled back to the attackers. One of the key features of ZeroAccess was its ability to hide its presence and activities, using rootkit technology to evade detection by security software. Despite several law enforcement operations aimed at disrupting it, including a notable attempt by Microsoft, Europol, and the FBI in 2013, its decentralized nature allowed it to continue operating in various forms, albeit at reduced capacity. Over the years, the botnet’s activity dwindled as cybersecurity measures improved and attention from law enforcement intensified.

Zeus

Infected Devices: 3.6 million IP addresses

Costs: $70 million

First discovered: 2007

Active Until: 2010

The Zeus botnet, also known as Zbot, is a type of malware focused on compromising Windows operating systems to perform malicious activities, primarily stealing banking information. Discovered around 2007, its main function involves logging keystrokes and capturing sensitive data from infected systems to siphon financial data. Zeus becomes particularly dangerous by distributing itself through phishing schemes, malicious attachments, drive-by downloads, and exploiting system vulnerabilities, often utilizing email spam campaigns for propagation. Operated on a decentralized architecture, Zeus facilitates communication between its command-and-control server and infected devices via encrypted channels, complicating efforts to trace and dismantle it. The impact of Zeus has been significant, leading to immense financial losses around the globe by targeting both individuals and organizations, often being linked to notorious data breaches and thefts. Over time, Zeus has evolved, spawning numerous variants such as Gameover ZeuS and Citadel, which enhance its capability to evade detection and develop additional features. Combatting Zeus has involved coordinated actions by cybersecurity firms, law enforcement, and international partners, resulting in several successful takedowns and arrests, although its derivatives continue to persist. A critical moment in its evolution was the leakage of its source code in 2011, leading to the rise of numerous new malware families inspired by Zeus, thereby amplifying the sophistication of banking Trojans. The Zeus botnet’s influence on cybersecurity underscores the need for rigorous security practices and continual collaboration in combating cybercrime.

Mariposa

Number of Infected IP addresses: 12.7 million

Estimated Profit: Unknown

Discovered: December 2008

Taken Down: December 2009

Credited Law Enforcement Contributions: Mariposa Working Group

In December 2010, it was discovered that an operator failed to properly connect to their VPN, inadvertently revealing their home location in Bilbao, Spain. This incident involved approximately 12.7 million IP addresses, as reported by the BBC. Multi-hop VPNs, known for their global server locations, pose significant challenges for interception, as they allow data to traverse multiple countries more fluidly than governmental processes, which require negotiating political ties, obtaining warrants, and analyzing servers. By the time authorities fulfill these processes, the hacker often has relocated to a different jurisdiction. However, if a VPN is not activated, it greatly assists law enforcement efforts. Two months after this crucial error, authorities apprehended the hackers behind the command and control operations. Additionally, in December 2009, the Mariposa Working Group successfully gained control of the Mariposa Botnet by taking over its command and control servers. The hacker, known as Netkairo, attempted to reclaim control of the botnet. During one of these efforts, Netkairo mistakenly connected to the botnet using their home IP address instead of the VPN, thereby exposing their location.

The 911 S5 Botnet

Number of Devices infected by 911 S5 Botnet: 19 million (613,418 in the United States)

Estimated Botnet Profit for Command and Control Hacker: $99 million

Estimated Botnet Profit for Affiliated Criminals: $5.9 billion confirmed

Active From: 2014

Taken Down: 2024

Scope: World-wide.

Credited Law Enforcement Contributions: United States, Singapore, Thailand, and Germany.

In May 2024, authorities successfully dismantled the massive 911 S5 botnet, believed to be one of the world’s largest cybercrime networks, infecting over 19 million devices globally. The operation, led by the FBI with international cooperation, resulted in the arrest of Yunhe Wang in Singapore, the alleged mastermind behind the botnet.

The botnet, active between 2014 and 2024, was primarily used for a range of illicit activities, including large-scale financial fraud, and identity theft. It hijacked residential computers, which were then sold to cybercriminals who exploited the compromised IP addresses to commit crimes while concealing their identities. One of the most notable instances was the fraudulent use of the botnet to file 560,000 false unemployment claims during the pandemic, resulting in over $5.9 billion in losses to U.S. relief programs.

Wang made nearly $100 million from selling access to the botnet and used these proceeds to acquire luxury assets, including properties across multiple countries, high-end vehicles, and luxury watches. The botnet’s infrastructure spanned around 150 dedicated servers globally, which Wang used to manage the network of infected devices. His arrest and the botnet’s takedown mark a significant victory in the fight against cybercrime. At the time of print, it was considered by the FBI to be the world’s largest ever botnet.

The 911 S5 Botnet - likely the world's largest botnet ever,

FBI