The “boom” of the internet and the massive increase of the use of the e-mail made the conditions ideal for the appearance of botnets. In fact, as you will see below, most of the botnets detected until today are somehow related to sending enourmous amounts of e-mails, especially spam. Be aware that the estimated number of bots presented below are just that, estimatives, because in some countries it is common that users change their IP address several times a day.

2004

Bagle more info

Est. no of bots: 230 000

Bagle (also known as Beagle) is a mass-mailing computer worm affecting all versions of Microsoft Windows. Bagle uses its own SMTP engine to mass-mail itself as an attachment to recipients. It copies itself to the Windows system directory and opens a backdoor.

2006

Rustock more info

Est. no of bots: 150 000

Rustock botnet consisted of computers running Microsoft Windows and was capable of sending up to 25,000 spam messages per hour from an infected PC. To increase the size of the botnet it would use self-propagation by sending malicious e-mails with a trojan which would incorporate the targeted machine into the botnet.

2007

Akbot more info

Est. no of bots: 1 300 000

Akbot is an IRC controlled backdoor program that allows an outside user to take control of the infected computer. It operates by joining IRC servers and then waiting for further instructions. Once installed, Akbot can be used to gather data, kill processes, or perform DDOS attacks.

Cutwail more info

Est. no of bots: 1 500 000

Cutwail botnet is a botnet mostly involved in sending spam e-mails. Typically, it uses a Trojan component called Pushdo to infect a machine. It affects computers running Microsoft Windows.

Srizbi more info

Est. no of bots: 450 000

Srizbi botnet is a botnet mainly involved in sending spam e-mails. It infects computers with the Srizbi trojan, which allows to send spam on command.

2008

Mariposa more info

Est. no of bots: 12 000 000

The Mariposa botnet is a botnet mainly involved in cyberscamming and denial of service attacks. It is one of the largest known botnets with up to 12 million unique IP addresses.

Sality more info

Est. no of bots: 1 000 000

Sality is a family of malicious software which infects files on Microsoft Windows systems. Machines infected with Sality are able to communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking).

Conficker more info

Est. no of bots: 10 500 000+

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system. The botnet uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate itself.

Grum more info

Est. no of bots: 560 000

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. It relies on two types of control servers for its operation. One type is used to push configuration updates to the infected computers, and the other is used to tell the botnet what spam emails to send.

2009

BredoLab more info

Est. no of bots: 30 000 000

The BredoLab Botnet, also known by its alias Oficla, was a botnet mostly involved in viral e-mail spam.

2010

Kelihos more info

Est. no of bots: 300 000+

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in the theft of bitcoins and spamming.

TDL-4 more info

Est. no of bots: 4 500 000+

TDL-4 is a botnet and the name of the rootkit that runs the botnet (also known as Alureon). It infects the master boot record of the target machine, making it harder to detect and remove.

2011

Ramnit more info

Est. no of bots: 3 000 000

Ramnit is a computer worm affecting Windows operating system. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015.

ZeroAccess more info

Est. no of bots: 2 000 000

ZeroAccess, also known as Max++ and/or Sirefef, is a botnet mostly involved in bitcoin mining and click fraud. It uses a Trojan horse computer malware that affects Microsoft Windows operating systems and downloads other malware on an infected machine while remaining hidden by using rootkit techniques.

2012

Nitol more info

Est. no of bots: unknown

The Nitol botnet is a botnet mostly involved in spreading malware and distributed denial-of-service attacks. The botnet is mostly prevalent in China where an estimate 85% of the infections are detected. It was found to be present on systems that came brand-new from the factory, indicating the trojan was installed somewhere during the assembly and manufacturing process.

2014

Semalt (aka Soundfrost) more info

Est. no of bots: 300 000+

Semalt is a botnet mainly involved mainly involved in sending spam e-mails. It visits random websites to generate referral and spies on users browsing habits.

This list demonstrates that there has been several botnets that were able to reach a big dimension infecting thousands (or even millions) of machines. Most of the botnets presented were spam sending related but it is also noticeable that there has been an evolution and they tend to do more than just that. Also botnets have become more complex making it harder to dismantle them.