Home Botnet Types OSINT and Attribution Botnet taxonomy Reading
Botnet taxonomy


Above: An example of basic botnet structure- A central node sending signals to several infected computers.
Botnets take many forms based on thier sophistication and purpose. This section will serve as an introduction to the types of botnets that I have encountered,

A botnets usually consist of a central or "master" computer where a person or piece of code (a botnet operator), is transmitting commands remotely to a series of infected computers that they can control.

Daisy Chain

Daisy Chain networks usually consist of a series of bots chained together. They each act in sequence, retweeting or posting the last bots' content. The Daisy chain is one of the more uncommon networks because it isn't terribly effictive. The single actions don't allow for any one post to become popular, which could help tthe content reach real people. Instead, the content is repeated over the same network, alloowing for the bots to become obvious and minimizing thier potential reach.

Central Node

This is the most common structure foor a social media botnet. The fraudlent accounts are dirented to like or retweet a post, in an attempt to make it go viral. The flood of activity can fool reccomendation algorithms into showing the post to more people and giving it a chance to stand out. These bot interactions are typically end with one interaction because these bots don't have reach in the community. No one is checking the bots latest posts and eagerly responding. The money or effort spent on these interacions isn't nearly as effective as auhentic traffic.

Central Node and second node

This is slightly more effective. The botnet is divided into two sections- primary accounts, that appear more auhetic, and secondary accounts that are more cheaply made. The primary accounts interact with the given post, and the secondary accounts like or retweet the primary accounts. As a result, the botnet can pretend to have reach and longevity.

Knot

This technique is used in disinformation and amplification campaigns. A collection of bots all interact with eachother, creating an echo chamber. Then, when they interact with real people that share their ideals- especially if those ideals are political- they stand a chance of being accepted as helpful to the cause. They reliably share content and may ask others to do the same- roping real accounts into thier echo chamber and promoting thier content throughout the community thanks to reccomendation algorithms because they appear to be integrated within the group. This type of scheme takes a certain amount of finese and time that typically only state sponsored programs or idealogically motivated bot makers possess.

Like-Like

This kind of strategy looks similar to the primary node except it has two target nodes. Why? Simple, say account A and account B share the same niche (ie. a gen-z makeup guru, or a wellness influencer mom etc.), and account A really needs to tie thier brand to the more popular account B. The fraudulent accounts will follow B, establish themselves as an account that loves that content, and then begin following account B. This tells the algorithm that people that like B's content will like A's as well. B gets thier content reccomended to A's audience by gaming the algorithm. This is a fairly established way of making a botnet work for influencers because bots that start by following popular accounts in a niche aren't flagged- plenty of people do that when they get an account. These interactions help to make them appear more like a person and pave the way for them to blend in with authetic accounts.