The 8 biggest botnets of all time

Botnets have now become mainstream cyberattack tools. These malicious networks of enslaved devices are behind assaults that run the gamut from identity theft and malware promotion to all sorts of DDoS attacks and click fraud. The silver lining is that the underlying malware is usually easy to eradicate – all it takes is a garden-variety antivirus app.

However, if a competent adversary steps in, the damage can reach mind-boggling heights and the remediation process is extremely tedious. In this article, I will focus on such sophisticated botnets, some of which are still up and running at the time of writing.

So, let’s dive right in.


  • Category: banking Trojan
  • Life span: 2007 – the present day
  • Infected computers: over 13 million
  • Distribution: exploit kits, spam
  • Geographic coverage: 196 countries
  • Financial impact: at least $120 million

The prevalence of this banking Trojan is demonstrated by the fact that it was once America's most wanted botnet. At its peak, it accounted for 90% of all online bank fraud incidents globally.

Criminals spread ZeuS in several different ways. In 2009, for instance, one of the gangs involved in its distribution orchestrated a massive rogue email campaign delivering ZeuS via the Pushdo spam botnet. According to rough estimates, at least 3.6 million computers were infected in the U.S. alone. Overall, ZeuS has plagued more than 13 million machines around the world since it debuted.

In the fall of 2011, ZeuS got peer-to-peer features designed for code updates and based on the Kademlia protocol. Because the associated script was named gameover.php, researchers dubbed this iteration GameOver ZeuS.

ZeuS attack remediation is easier said than done. It leverages polymorphic encryption to successfully slip below the radar of antiviruses. It also infects multiple files and gets regular updates to hamper removal. Under the circumstances, the most effective cure is to reinstall the contaminated system.


  • Category: email worm for spam and DDoS
  • Life span: 2007-2008
  • Infected computers: about 2 million
  • Distribution: spam

Storm was first spotted in 2007. In its early days, it was doing the rounds via spam containing videos of destruction caused by a recent weather calamity in Europe. 

Storm was arguably the most sophisticated malware at the time. It boasted a decentralized P2P control system based on the Overnet protocol. Server-side polymorphism was one more hi-tech characteristic of this predatory entity.

In July 2007, when the botnet was in full swing, it generated about 20% of all spam on the Internet, sending it from 1.4 million computers. It promoted knockoff drugs, for the most part.

The botnet was defending its resources against overly curious researchers in quite a brutal way. When its operators discovered that the same IP address was repeatedly attempting to download bot updates (which is a common tactic employed by antivirus companies), they would launch a DDoS attack against that IP.

At the end of 2008, the botnet mysteriously vanished from the threat landscape. According to a popular theory, the Storm campaign was disrupted by security researchers.


  • Category: Trojan/worm
  • Life span: 2009-2011
  • Infected computers: 12 million + 11 million (two outbreaks)
  • Distribution: pirated software, USB thumb drives, P2P networks, MSN messenger
  • Geographic coverage: 190 countries

The Mariposa botnet ("butterfly" in Spanish) emerged in 2009 and was based on the code of the Palevo worm. According to the estimates of Panda Labs, the computer count in this gigantic botnet reached 12 million.

One of the typical distribution mechanisms involved infected flash drives, which were still using the autorun.inf routine back then. Mariposa was primarily aimed at perpetrating online scams and mounting DDoS attacks. It was also stealing credentials for victims’ personal accounts so that its operators could sell them on the Dark Web.

The Mariposa campaign ended in December 2009 after researchers and law enforcement agencies pinpointed and seized the underlying Command & Control servers in Spain. According to official reports, the botnet enabled its authors to steal personal data belonging to more than 800,000 people in 190 countries.


  • Category: Trojan downloader, spamming malware, coin miner
  • Life span: 2011-2013
  • Infected computers: 9 million
  • Distribution: exploit kits

ZeroAccess was first seen in the wild in 2011. Security analysts came across an offbeat malware sample in a rootkit driver, which included the following string of code: F:\VC5\release\ZeroAccess.pdb. This explains the origin of the Trojan’s name.

An unorthodox feature of ZeroAccess was that it used a “decoy” tactic to pull the plug on antivirus software running on infected systems. In addition to its main rootkit module, the bot had an extra kernel driver to create the bait, a dummy entity that would invoke a straightforward response of popular security tools. If an application took the bait, ZeroAccess would terminate its executable by injecting code that triggered the ExitProcess() command.

According to Sophos, the number of contaminated machines reached 9 million by the end of summer 2012, with the range of active infections exceeding a million systems. This was the peak of the ZeroAccess campaign.

In December 2013, experts at Microsoft teamed up with law enforcement agencies from different countries to take down the digital infrastructure behind ZeroAccess. As a result of these collaborative efforts, the Command & Control servers were seized, and the botnet came to a halt.


  • Category: banking Trojan
  • Life span: 2011 – the present day
  • Infected computers: unknown
  • Distribution: spam, social engineering, booby-trapped freeware

Dridex (also referred to as Cridex) splashed onto the scene around September 2011. At the time of discovery, the bot was capable of using web injection techniques to steal money from Internet users. It could also infect USB thumb drives, and therefore it was initially tracked as a worm rather than a Trojan.

This dodgy network was rapidly evolving, and its operators appeared to use proper operations security (OPSEC) practices, and yet the police chased down and arrested one of the Dridex administrators on August 28, 2015. Some subnets disappeared from the network in the aftermath of this move. However, not only did they make a comeback shortly afterward, but they also spawned new ones.

An interesting version of Dridex was spotted in early 2017 and has since been active. It complicates the analysis of new samples because the loaders only function for a couple of days.

Most victims are based in Europe, with the vast majority of infection cases recorded in the UK, followed by Germany and France. Dridex ignores computers localized in Russia – its C&C servers do not respond to requests from Russian IPs.


  • Category: banking Trojan, malware loader
  • Life span: 2014 – the present day
  • Infected computers: unknown
  • Distribution: social engineering, spam

Emotet is another sophisticated banking Trojan. Its early versions only stole financial records relating to a few banks, but it has evolved dramatically over time. It is now one of the three most prolific and dangerous botnets, although it has only been around for six years.

Spam is the dominating infection vector. Emotet arrives with emails that contain a malicious attachment laced with a Microsoft Office macro. Although the macro is not executed automatically, the attackers use social engineering tricks to lure the victim into running it.

In 2017, the crooks repurposed this botnet so that it mainly acts as a loader for other malicious applications. For instance, Emotet often operates in tandem with the notorious enterprise-targeting ransomware called Ryuk.

In 2020, researchers unveiled a new feature of Emotet: it exhibits worm-like characteristics by hacking poorly secured Wi-Fi networks and self-replicating inside them.

As far as the propagation geography goes, the hardest-hit countries are Germany, the U.S., India, and Russia. China, Italy, and Poland are on the list of heavily “torpedoed” countries as well. Emotet is still going strong in 2020, and so the big picture is constantly changing.


  • Category: click fraud botnet
  • Life span: 2013-2018
  • Infected computers: about 2 million
  • Distribution: social engineering, spam
  • Financial impact: $30 million

This one represents the cluster of click fraud botnets. 3ve ("Eve") did not steal financial records – instead, it imitated human clicks on tons of ads displayed on junk sites. Of course, this activity was covert, and the user was not likely to notice anything fishy going on. The malicious code also included complex AV evasion mechanisms to stay undetected and bring its proprietors a maximum profit. 

The criminals slipped up in 2018 when they started faking Border Gateway Protocol (BGP) communications and tried to obfuscate fraudulent activity by using ranges of IP addresses that belonged to real clients.

The botnet was shut down due to the joint efforts of the FBI, Google, Amazon, ESET, Adobe, and Malwarebytes. The foul play was attributed to eight individuals, with 13 criminal cases opened during the investigation. Researchers estimate the malefactors’ earnings at about $30 million.


  • Category: DDoS botnet
  • Life span: 2016 – the present day
  • Infected devices: at least 560,000
  • Distribution: brute-force attacks

Mirai is the king of botnets that zero in on IoT devices. Although it came to a standstill a while ago, its numerous spin-offs continue to give white hats a hard time. First spotted in 2016, it rapidly subdued an army of smart home appliances and other connected devices that used weak passwords.

This botnet was masterminded by students who probably bore a grudge against their university and decided to shell it with DDoS attacks. However, their plot got out of hand at some point, and now Mirai is the largest IoT botnet out there, considering all of its clones. The number of botnets based on it - and its near replicas - has exceeded a hundred and keeps growing.

In October 2016, Mirai was used to mount a hefty attack against Dyn, a high-profile DNS provider. Criminals swamped multiple servers around the world, which temporarily disrupted such services as Twitter, GitHub, and Spotify. Although the attack weaponized only about 100,000 thousand IoT devices, it generated an impressive traffic flood exceeding 1Tbps.

The bottom line

Powerful botnets come and go. As soon as information security professionals and law enforcement agencies shut down a botnet, it is superseded by a new, possibly much more dangerous one. For the average user, the main takeaway from this wicked trend is that password hygiene and timely operating system updates are now more important than ever. These simple precautions can prevent a computer, a router, or smart devices from joining a network operated by cybercrooks.


prefix 2 years ago
If botnets get more dangerous and are created every time we shut one down, why not just leave them alone and improve our defenses? I know the answer; the writing implies a connection between shutting them down and new ones, and the danger level, but there is no such connection. Criminals will create new and more dangerous botnets even if we don't shut down the current ones, so we must shut them down as fast as possible and prevent making new ones.
Leave a Reply

Your email address will not be published. Required fields are markedmarked